search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Cisco IOS fails to properly process certain packets containing a crafted IP option

Vulnerability Note VU#341288

Original Release Date: 2007-01-24 | Last Revised: 2007-01-31

Overview

Cisco IOS software contains a vulnerablity that may allow an attacker to execute arbitrary code or create a denial of service condition.

Description

Cisco IOS is an operating system that is used on Cisco network devices. The Internet Control Message Protocol (ICMP) is a protocol commonly used for testing connections and diagnosing problems.

A vulnerability exists in the way Cisco IOS processes the following types of packets sent to an IPv4 address on an affected system.

    • ICMP - Echo (Type 8)
    • ICMP - Timestamp (Type 13)
    • ICMP - Information Request (Type 15)
    • ICMP - Address Mask Request (Type 17)
    • PIMv2 - IP protocol 103
    • PGM - IP protocol 113
    • URD - TCP Port 465

An attacker may be able to exploit the vulnerability by sending a packet with a specially crafted IP header to an IP address on a vulnerable system. Note that ICMP is often enabled on network infrastructure switches and routers for troubleshooting purposes.

Impact

A remote unauthenticated attacker may be able to execute arbitrary code or create a denial of service condition. Note that a vulnerable system would have to be the destination for the specially crafted packet.

Solution

Upgrade
See the Software Version and Fixes section of Cisco Security Advisory 20070124 for information on available upgrades.


Restrict Access

Restricitng public access to vulnerable systems mitigate this vulnerability. Access control lists, management VLANs, or alternate connection methods such as modem or console ports can be used to allow restricted access to the device.

Disable Services

Disabling IPv4 functionality on devices using IPv6 may prevent this vulnerability from being exploited.


For more information about these and other workarounds, see the workarounds section of Cisco Security Advisory 20070124.

Vendor Information

341288
 
Expand all

Cisco Systems, Inc. Affected

Updated:  January 24, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Cisco for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: None
Severity Metric: 18.15
Date Public: 2007-01-24
Date First Published: 2007-01-24
Date Last Updated: 2007-01-31 20:37 UTC
Document Revision: 21

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis