Cisco Security Advisory
Cisco IOS Software and IOS XE Software TCP Packet Memory Leak Vulnerability
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
A vulnerability in the TCP input module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak and eventual reload of the affected device.
The vulnerability is due to improper handling of certain crafted packet sequences used in establishing a TCP three-way handshake. An attacker could exploit this vulnerability by sending a crafted sequence of TCP packets while establishing a three-way handshake. A successful exploit could allow the attacker to cause a memory leak and eventual reload of the affected device.
There are no workarounds for this vulnerability.
Cisco has released software updates that address this vulnerability. This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-tcpleak
Note: The March 25, 2015, Cisco IOS & XE Software Security Advisory bundled publication includes seven Cisco Security Advisories. The advisories address vulnerabilities in Cisco IOS Software and Cisco IOS XE Software. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS & XE Software Security Advisory Bundled Publication at the following link:http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar15.html
-
Vulnerable Products
Cisco devices that are running affected Cisco IOS Software or Cisco IOS XE Software are vulnerable. Cisco devices running Cisco IOS or Cisco IOS XE Software configured with any process listening on any TCP port are potentially affected. There are multiple processes in Cisco IOS Software that can be configured to listen on TCP ports. Examples of such configured processes are HTTP, HTTPS, SSH, or Telnet. Other configured processes may exist on an affected device and may listen on TCP ports. The configuration necessary to determine whether any of the TCP listening processes is enabled on a Cisco device is specific to the configured process.
On certain devices running Cisco IOS and Cisco IOS XE Software it is possible to determine if any processes are listening on TCP ports. To determine whether a Cisco IOS device or Cisco IOS XE device would process TCP packets destined to a listening service, log into the device and issue either of the following command line interface (CLI) commands show tcp brief all, or show control-plane host open-ports. If the output shows any process listening on any TCP ports, the device is vulnerable.
The following example shows a Cisco IOS device that is affected by this vulnerability. The device is vulnerable because there are processes listening on TCP ports 80 and 22:
Router#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:22 *:0 SSH-Server LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
udp *:161 *:0 IP SNMP LISTEN
udp *:162 *:0 IP SNMP LISTEN
udp *:53519 *:0 IP SNMP LISTEN
Router#
Router#show tcp brief all
TCB Local Address Foreign Address (state)
03577CD8 ::.22 *.* LISTEN
03577318 *.22 *.* LISTEN
035455F8 ::.80 *.* LISTEN
03544C38 *.80 *.* LISTEN
Router#
Note: The CLI commands show tcp brief all and show control-plane host open-ports are platform dependent and may not be present on all the platforms running Cisco IOS or Cisco IOS XE Software.
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software. The image name displays in parentheses, followed by the Cisco IOS Software release number and release name. Other Cisco devices do not have the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.2(4)M5 with an installed image name of C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.2(4)M5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 13-Sep-13 16:44 by prod_rel_team!--- output truncated
Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide.
Products Confirmed Not Vulnerable
Cisco IOS XR Software is not affected by this vulnerability.
No other Cisco products are currently known to be affected by this vulnerability.
-
A vulnerability in the TCP input module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak and eventual reload of the affected device.
The vulnerability is due to improper handling of certain crafted packet sequences used in establishing a TCP three-way handshake. An attacker could exploit this vulnerability by sending a crafted sequence of TCP packets while establishing a three-way handshake. A successful exploit could allow the attacker to cause a memory leak and eventual reload of the affected device.
This vulnerability can be exploited using both IPv4 and IPv6 packets. The vulnerability can be triggered by a crafted sequence of TCP packets during the establishment of a three-way handshake. The crafted sequence of TCP packets must be destined for any TCP listening port using an IPv4 or IPv6 unicast address of any interface configured on a device.
This vulnerability can only be triggered by traffic destined to an affected device and cannot be exploited with traffic transiting an affected device.
In devices that meet the vulnerable configuration criteria, a crafted sequence of TCP packets could trigger this vulnerability. An attacker with knowledge of the infrastructure could craft TCP packets with certain conditions to exploit this vulnerability. Successful exploitation of the vulnerability may result in a reload of the affected device.
This vulnerability is documented in Cisco bug ID CSCum94811 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2015-0646.
-
There are no workarounds for this vulnerability.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link:
https://sec.cloudapps.cisco.com/security/center/viewAMBAlert.x?alertId=37433
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Cisco IOS Software
Cisco provides a tool to help customers determine their exposure to vulnerabilities in Cisco IOS Software. The Cisco IOS Software Checker allows customers to perform the following tasks:
- Initiate a search by selecting releases from the drop-down menu or uploading a file from a local system
- Enter show version command output for the tool to parse
- Create a customized search by including all previously published Cisco Security Advisories, a specific publication, or all advisories in the most recent bundled publication
The tool identifies any Cisco Security Advisories that impact a queried software release and the earliest release that corrects all vulnerabilities in each Cisco Security Advisory ("First Fixed"). If applicable, the tool also returns the earliest possible release that corrects all vulnerabilities in all displayed advisories ("Combined First Fixed"). Please visit the Cisco IOS Software Checker or enter a Cisco IOS Software release in the following field to determine whether the release is affected by any published Cisco IOS Software advisory.
(Example entry: 15.1(4)M2)
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes.
Cisco IOS XE Software
Cisco IOS XE Software is affected by the vulnerability described in this advisory.
Cisco IOS XE Software Release First Fixed Release First Fixed Release for All Advisories in the March 2015 Cisco IOS Software Security Advisory Bundled Publication 2.5.x Not vulnerable
Vulnerable; migrate to 3.12.3S or later. 2.6.x Not vulnerable
Vulnerable; migrate to 3.12.3S or later. 3.1.xS Not vulnerable
Vulnerable; migrate to 3.12.3S or later. 3.1.xSG Not vulnerable
Not vulnerable 3.2.xS Not vulnerable
Vulnerable; migrate to 3.12.3S or later. 3.2.xSE Not vulnerable
Vulnerable; migrate to 3.7.1E or later. 3.2.xSG Not vulnerable
Not vulnerable 3.2.xXO Not vulnerable Not vulnerable 3.2.xSQ Not vulnerable Not vulnerable 3.3.xS Not vulnerable Vulnerable; migrate to 3.12.3S or later. 3.3.xSE Not vulnerable Vulnerable; migrate to 3.7.1E or later. 3.3.xSG Not vulnerable Vulnerable; migrate to 3.7.1E or later. 3.3.xXO Vulnerable; migrate to 3.7.0E or later.
Vulnerable; migrate to 3.7.1E or later. 3.3.xSQ Not vulnerable Not vulnerable 3.4.xS Not vulnerable Vulnerable; migrate to 3.12.3S or later. 3.4.xSG Not vulnerable Vulnerable; migrate to 3.7.1E or later. 3.4.xSQ Not vulnerable Not vulnerable 3.5.xS Not vulnerable Vulnerable; migrate to 3.12.3S or later. 3.5.xE Vulnerable; migrate to 3.7.0E or later.
Vulnerable; migrate to 3.7.1E or later. 3.6.xS Not vulnerable Vulnerable; migrate to 3.12.3S or later. 3.6.xE Vulnerable; migrate to 3.7.0E or later.
Vulnerable; migrate to 3.7.1E or later. 3.7.xS Not vulnerable Vulnerable; migrate to 3.12.3S or later. 3.7.xE Not vulnerable 3.7.1E 3.8.xS Vulnerable; migrate to 3.10.5S or later.
Vulnerable; migrate to 3.12.3S or later. 3.9.xS Vulnerable; migrate to 3.10.5S or later.
Vulnerable; migrate to 3.12.3S or later. 3.10.xS 3.10.5S
Vulnerable; migrate to 3.12.3S or later. 3.11.xS Vulnerable; migrate to 3.12.3S or later.
Vulnerable; migrate to 3.12.3S or later. 3.12.xS 3.12.3S
Vulnerable; migrate to 3.12.3S or later. 3.13.xS Not vulnerable 3.13.2S
3.14.xS
Not vulnerable Not vulnerable 3.15.xS
Not vulnerable Not vulnerable
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
This vulnerability was discovered during the resolution of a support case.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Version Description Section Status Date 1.2 Updated Cisco IOS Checker Software Checker form to query all previously published Cisco IOS Software Security Advisories. 2016-January-14 1.1 Updated the First Fixed Release for All Advisories in the March 2015 Cisco IOS Software Security Advisory Bundled Publication table. 2015-March-25 1.0 Initial public release. 2015-March-25
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.