[NEWS] Multiple Crafted IPv6 Packets Cause Reload
From: SecuriTeam (support_at_securiteam.com)
To: email@example.com Date: 26 Jan 2005 19:06:59 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Multiple Crafted IPv6 Packets Cause Reload
Cisco Internetwork Operating System (IOS) Software is vulnerable to a
Denial of Service (DoS) attack from crafted IPv6 packets when the device
has been configured to process IPv6 traffic. This vulnerability requires
multiple crafted packets to be sent to the device which may result in a
reload upon successful exploitation.
Cisco has made free software available to address this vulnerability.
There are workarounds available to mitigate the effects.
Only the Cisco devices running IOS and configured for IPv6 are affected. A
router will display all IPv6 enabled interfaces with the show ipv6
An empty output or an error message will be displayed if IPv6 is disabled
or unsupported on the system. In this case the system is not vulnerable.
Sample output of show ipv6 interface command is shown below for a system
configured for IPv6.
Router#show ipv6 interface
Serial1/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:D200
Global unicast address(es):
2001:1:33::3, subnet is 2001:1:33::/64 [TENTATIVE]
Joined group address(es):
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
A router that has IPv6 enabled on a physical or logical interface is
vulnerable to this issue even if ipv6 unicast-routing is globally
disabled. The show ipv6 interface command can be used to determine whether
IPv6 is enabled on any interface.
Products Confirmed Not Vulnerable
* Products that are not running Cisco IOS are not affected.
* Products running any version of Cisco IOS that do not have IPv6
configured interfaces are not vulnerable.
No other Cisco products are currently known to be affected by these
IPv6 is the "Internet Protocol Version 6", designed by the Internet
Engineering Task Force (IETF) to replace the current version Internet
Protocol, IP Version 4 (IPv4).
A vulnerability exists in the processing of IPv6 packets that can be
exploited to cause the reload of a system. Crafted packets received on
logical interfaces (that is, tunnels including 6to4 tunnels) as well as
physical interfaces can trigger this vulnerability.
Multiple crafted IPv6 packets need to be sent to exploit this
vulnerability. Such crafted packets can be sent remotely.
This issue is documented in Cisco bug ID
Successful exploitation of this vulnerability results in a reload of the
device. Repeated exploitation could result in a sustained DoS attack.
Software Versions and Fixes:
A table listing all the vulnerable versions and their corresponding fixes
can be found at:
The effectiveness of any workaround is dependent on specific customer
situations such as product mix, network topology, traffic behavior, and
organizational mission. Due to the variety of affected products and
releases, customers should consult with their service provider or support
organization to ensure any applied workaround is the most appropriate for
use in the intended network before it is deployed.
Although it is often difficult to block traffic transiting your network,
it is possible to identify traffic which should never be allowed to target
your infrastructure devices and block that traffic at the border of your
network. Infrastructure access control lists (ACLs) are considered a
network security best practice and should be considered as a long-term
addition to good network security as well as a workaround for this
specific vulnerability. The white paper entitled "Protecting Your Core:
Infrastructure Protection Access Control Lists", available at
http://www.cisco.com/warp/public/707/iacl.html, presents guidelines and
recommended deployment techniques for infrastructure protection ACLs.
Exceptions would include any devices which have a legitimate reason to
access your infrastructure (for example, BGP peers, DNS servers, and so
on). All other traffic must be able to traverse your network without
terminating on any of your devices.
The information has been provided by <mailto:firstname.lastname@example.org> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.