[NEWS] ICMP Unreachable Vulnerability in Cisco 12000 Series Internet Router

From: support@securiteam.com
Date: 11/18/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] ICMP Unreachable Vulnerability in Cisco 12000 Series Internet Router
Message-Id: <20011118180705.8AD2A138BF@mail.der-keiler.de>
Date: Sun, 18 Nov 2001 19:07:05 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  ICMP Unreachable Vulnerability in Cisco 12000 Series Internet Router
------------------------------------------------------------------------

SUMMARY

The performance of Cisco 12000 series routers can be degraded when they
have to send a large number of ICMP unreachable packets. This situation
usually can occur during heavy network scanning. This vulnerability is
tracked by three different bug IDs: CSCdr46528, CSCdt66560, and
CSCds36541. Each bug ID is assigned to a different Engine the line card is
based upon.

The rest of the Cisco routers and switches are not affected by this
vulnerability. It is specific for Cisco 12000 Series.

No other Cisco product is vulnerable.

The workaround is to either prevent the router from sending unreachable
Internet Control Message Protocol (ICMPs) at all or to rate limit them.

DETAILS

Affected products:
Only Cisco 12000 Series Internet Routers are affected with this
vulnerability. No other routers or switches are affected. Not all line
cards of a Cisco 12000 Series are affected by this vulnerability.
Vulnerability is present in the underlying technology an individual line
card is based upon. That technology is called "Engine". Currently, Cisco
is shipping line cards based on the following Engines: 0, 1, 2, 3, and 4.

To determine what Engine your card is based on, you need to log on the
Cisco 12000 router and issue "sh diag" command while in enable mode. The
engine type will be displayed as "L3 Engine: x" where x will be the
corresponding number.

The following example shows the output for an Engine 2 based line card.

c12000#sh diag
SLOT 1 (RP/LC 1 ): 1 Port Packet Over SONET OC-48c/STM-16 Single Mode/SR
SC-SC connector
MAIN: type 41, 800-5271-01 rev A0 dev 0
HW config: 0x04 SW key: 00-00-00
PCA: 73-3295-05 rev A0 ver 5
HW version 1.1 S/N SDK034004AY
MBUS: Embedded Agent
Test hist: 0x00 RMA#: 00-00-00 RMA hist: 0x00
DIAG: Test count: 0x00000000 Test results: 0x00000000
L3 Engine: 2 - Backbone OC48 (2.5 Gbps)
^^^^^^^^^^^^ <- Note the engine type
[Further output truncated]
 
All line cards that are based on the Engines 0, 1 and 2 are vulnerable.
Line cards based on the Engine 3 and 4 are not affected.

The following table depicts which Cisco IOSŪ Software Release is
vulnerable to a particular issue:

DDTS 12.0S 12.0SC 12.0ST
CSCdr46528 Vulnerable Vulnerable
CSCds36541Vulnerable Vulnerable Vulnerable
CSCdt66560 Vulnerable Vulnerable

Details:
The received packet will be dropped when either there is no valid path to
the destination or when the packet should be routed to the Null0
interface. The packets are either fast dropped (Engine 0 Line Cards) or
hardware dropped (all other application-specific integrated circuit (ASIC)
based forwarding Line Cards). Given the fast and hardware drop
capabilities of the Cisco 12000, a large volume of traffic can be dropped
without affecting the capabilities of the router. Whenever a packet is
dropped, the router must send an ICMP unreachable packet back to the
source. That is mandated by the Internet Standards.

When a high volume of traffic is sent to the router that requires ICMP
unreachable replies, the processing of the replies can saturate the CPU.
This condition can happen when the router is "Black Hole" filtering,
dropping packets sent to it as the network's default path, or from a
direct Denial of Service (DOS) against the router. For further information
of "Black Hole" filtering, consult the document: Essential IOS Features
Every ISP Should Consider, section "Black Hole Routing as a Packet
Filter".

The following table shows the relationship between the vulnerabilities and
Engine the line card is based on.

DDTS Engine 0 Engine 1 Engine 2 Engine 4
CSCdr46528 Vulnerable
CSCds36541 Vulnerable
CSCdt66560 Vulnerable

Impact:
Exploitation of these vulnerabilities may lead to the Denial-of-Service.
The router's performance will degrade and, in the worst-case scenario, the
router will stop forwarding packets.

Software versions and fixes:
Please refer to the table available at:
 
<http://www.cisco.com/warp/public/707/GSR-unreachables-pub.shtml#software>
http://www.cisco.com/warp/public/707/GSR-unreachables-pub.shtml#software

For fix information.

Obtaining fixed software:
Cisco is offering free software upgrades to eliminate this vulnerability
for all affected customers.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's Worldwide Web
site at http://www.cisco.com. Customers whose Cisco products are provided
or maintained through prior or existing agreement with third-party support
organizations such as Cisco Partners, authorized resellers, or service
providers should contact that support organization for assistance with the
upgrade, which should be free of charge.

Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
 * +1 800 553 2447 (toll-free from within North America)
 * +1 408 526 7209 (toll call from anywhere in the world)
 * e-mail: tac@cisco.com
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested
through the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

Workarounds:
There are two workarounds for this issue. The first one is to prevent the
router from sending ICMP unreachable at all. That behavior is governed
with the no IP unreachable command. This command should be applied on an
interface, such as in this example:

router(config)#interface ethernet 0
router(config-if)#no ip unreachables

It is possible to mitigate the problem by rate limiting number of ICMP
unreachables packets that are sent. Here is the example:

router(config)#ip icmp rate-limit unreachable n

Where n is the number of milliseconds between two consecutive ICMP
unreachable packets. The default value is 500. That means that one ICMP
unreachable packet is sent every 500 ms.

ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.