[NEWS] Multiple Crafted IPv6 Packets Cause Reload

From: SecuriTeam (support_at_securiteam.com)
Date: 01/26/05

  • Next message: SecuriTeam: "[NEWS] Crafted Packet Causes Reload on Cisco Routers"
    To: list@securiteam.com
    Date: 26 Jan 2005 19:06:59 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Crafted IPv6 Packets Cause Reload
    ------------------------------------------------------------------------

    SUMMARY

    Cisco Internetwork Operating System (IOS) Software is vulnerable to a
    Denial of Service (DoS) attack from crafted IPv6 packets when the device
    has been configured to process IPv6 traffic. This vulnerability requires
    multiple crafted packets to be sent to the device which may result in a
    reload upon successful exploitation.

    Cisco has made free software available to address this vulnerability.

    There are workarounds available to mitigate the effects.

    DETAILS

    Affected Products:
    Vulnerable Products
    Only the Cisco devices running IOS and configured for IPv6 are affected. A
    router will display all IPv6 enabled interfaces with the show ipv6
    interface command.

    An empty output or an error message will be displayed if IPv6 is disabled
    or unsupported on the system. In this case the system is not vulnerable.

    Sample output of show ipv6 interface command is shown below for a system
    configured for IPv6.

      Router#show ipv6 interface
      Serial1/0 is up, line protocol is up
        IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:D200
        Global unicast address(es):
          2001:1:33::3, subnet is 2001:1:33::/64 [TENTATIVE]
        Joined group address(es):
          FF02::1
          FF02::1:FF00:3
          FF02::1:FF00:D200
        MTU is 1500 bytes
        ICMP error messages limited to one every 100 milliseconds
        ICMP redirects are enabled
        ND DAD is enabled, number of DAD attempts: 1
        ND reachable time is 30000 milliseconds
      Router#

    A router that has IPv6 enabled on a physical or logical interface is
    vulnerable to this issue even if ipv6 unicast-routing is globally
    disabled. The show ipv6 interface command can be used to determine whether
    IPv6 is enabled on any interface.

    Products Confirmed Not Vulnerable
     * Products that are not running Cisco IOS are not affected.
     * Products running any version of Cisco IOS that do not have IPv6
    configured interfaces are not vulnerable.

    No other Cisco products are currently known to be affected by these
    vulnerabilities.

    Details:
    IPv6 is the "Internet Protocol Version 6", designed by the Internet
    Engineering Task Force (IETF) to replace the current version Internet
    Protocol, IP Version 4 (IPv4).

    A vulnerability exists in the processing of IPv6 packets that can be
    exploited to cause the reload of a system. Crafted packets received on
    logical interfaces (that is, tunnels including 6to4 tunnels) as well as
    physical interfaces can trigger this vulnerability.

    Multiple crafted IPv6 packets need to be sent to exploit this
    vulnerability. Such crafted packets can be sent remotely.

    This issue is documented in Cisco bug ID
    <http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCed40933>
    CSCed40933

    Impact:
    Successful exploitation of this vulnerability results in a reload of the
    device. Repeated exploitation could result in a sustained DoS attack.

    Software Versions and Fixes:
    A table listing all the vulnerable versions and their corresponding fixes
    can be found at:
    <http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml#software> http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml#software

    Workarounds:
    The effectiveness of any workaround is dependent on specific customer
    situations such as product mix, network topology, traffic behavior, and
    organizational mission. Due to the variety of affected products and
    releases, customers should consult with their service provider or support
    organization to ensure any applied workaround is the most appropriate for
    use in the intended network before it is deployed.

    Although it is often difficult to block traffic transiting your network,
    it is possible to identify traffic which should never be allowed to target
    your infrastructure devices and block that traffic at the border of your
    network. Infrastructure access control lists (ACLs) are considered a
    network security best practice and should be considered as a long-term
    addition to good network security as well as a workaround for this
    specific vulnerability. The white paper entitled "Protecting Your Core:
    Infrastructure Protection Access Control Lists", available at
    <http://www.cisco.com/warp/public/707/iacl.html>
    http://www.cisco.com/warp/public/707/iacl.html, presents guidelines and
    recommended deployment techniques for infrastructure protection ACLs.
    Exceptions would include any devices which have a legitimate reason to
    access your infrastructure (for example, BGP peers, DNS servers, and so
    on). All other traffic must be able to traverse your network without
    terminating on any of your devices.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:psirt@cisco.com> Cisco
    Systems Product Security Incident Response Team.
    The original article can be found at:
    <http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml>
    http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Crafted Packet Causes Reload on Cisco Routers"

    Relevant Pages

    • [NEWS] Cisco IOS Stack Group Bidding Protocol Crafted Packet DoS
      ... Get your security news from a reliable source. ... The SGBP implementation provided by the Cisco Internetwork Operating ... This vulnerability affects any device that runs Cisco IOS and has enabled ... to apply Access Control Lists to prevent untrusted hosts from ...
      (Securiteam)
    • [NEWS] Cisco 7920 Wireless IP Phone Privileges Escalation and Information Disclosure
      ... Get your security news from a reliable source. ... The first vulnerability in Cisco 7920 Wireless IP Phone is an SNMP service ... Cisco 7920 Wireless IP Phone is an open VxWorks Remote Debugger on UDP ... Access Control Lists can be used to deny traffic to the affected ...
      (Securiteam)
    • [Full-Disclosure] Symantec Buys SecurityFocus, among others....
      ... Please show where I said that vulnerability information or tools should be ... > other information security companies from using it anyway? ... I never proposed restricting the use of the public vulnerability database. ... lists and now there is an unmoderated disclosure list. ...
      (Full-Disclosure)
    • REVIEW: "Hack Attacks Testing", John Chirillo
      ... might be similar to SATAN (Security Administrator's Tool for Analyzing ... same is true for the Cybercop Scanner, Internet Scanner, Security ... Part four is entitled "Vulnerability Assessment," but contains only ... It lists a few vulnerability scanners and utilities. ...
      (comp.security.misc)
    • REVIEW: "Hack Attacks Testing", John Chirillo
      ... might be similar to SATAN (Security Administrator's Tool for Analyzing ... same is true for the Cybercop Scanner, Internet Scanner, Security ... Part four is entitled "Vulnerability Assessment," but contains only ... It lists a few vulnerability scanners and utilities. ...
      (alt.computer.security)