Cisco Security Advisory-
After receiving eight TCP connection attempts using a non-standard TCP flags combination, a Catalyst switch will stop responding to further TCP connections to that particular service. In order to re-establish functionality of that service, the switch must be rebooted. There is no workaround. This vulnerability affects only CatOS. No other Cisco products are affected.
This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030709-swtcp.
-
Vulnerable Products
The CatOS for the following Catalyst models are affected:
- Catalyst 4000 Series including models 2948G and 2980G/2980G-A
- Catalyst 5000 Series including models 2901, 2902 and 2926
- Catalyst 6000
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
After receiving eight connection attempts on any TCP service, the switch will stop responding to any further connection attempts to that service. These attempts must use a non-standard combination of TCP flags. The switch will continue to pass other switched traffic normally and the console is also not affected. Only the service to which connections were made will become unresponsive. Standard TCP services include HTTP, Telnet, and SSH.
This vulnerability is documented as Cisco Bug ID CSCdw52219 ( registered customers only) .
-
There is no workaround. In order to continue using an affected TCP service, the switch must be rebooted.
It is possible to mitigate the exposure by configuring VLAN Access Control Lists (VACLs) on the switch (where they are supported) that will allow only legitimate hosts to connect to the desired services. This must be combined with Unicast Reverse Path Forwarding (uRPF), or some other anti-spoofing technique, on the network edge to protect against spoofed packets from the outside of the network.
-
The vulnerability is fixed in the following releases. All previous releases are vulnerable and all higher releases, from the ones in the table, are fixed.
Train
Description of Image or Platform
Availability of Fixed Releases*
Rebuild
Interim**
Maintenance
4.x
Catalyst 4000, 5000
Affected, no fix planned
4.5
Catalyst 4000, 5000
4.5(13.1)
4.5(14)
5.1
Catalyst 4000, 5000, 6000
Affected, no fix planned
5.2
Catalyst 4000, 5000, 6000
Affected, no fix planned
5.3
Catalyst 6000
Affected, no fix planned
5.4
Catalyst 4000, 5000, 6000
Affected, no fix planned
5.5
Catalyst 4000, 5000, 6000
5.5(13.5)
5.5(14)
6.1
Catalyst 4000, 5000, 6000
Affected, no fix planned
6.2
Catalyst 4000, 5000, 6000
Affected, no fix planned
6.3
Catalyst 4000, 5000, 6000
6.3(5.10)
6.3(6)
6.4
Catalyst 4000, 5000, 6000
Not affected
7.1
Catalyst 4000, 6000
Affected, no fix planned
7.2
Catalyst 4000, 6000
7.2(0.65)
7.2(1)
7.3
Catalyst 4000, 6000
Not affected
7.4
Catalyst 4000, 6000
7.4(0.2)CLR
7.4(1)
7.5
Catalyst 4000, 6000
Not affected
7.6
Catalyst 4000, 6000
Not affected
8.1
Catalyst 6000
Not affected
* All dates are estimates and subject to change.
** Interim releases are subjected to less rigorous testing than regular maintenance releases, and may have serious bugs.
-
This vulnerability has been reported to Cisco by a customer. The Cisco PSIRT has received no reports of malicious exploitation of this vulnerability and we are not aware of any public discussion.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessRevision 1.0
2003-July-09 16:00 UTC (GMT)
Initial public release
Revision 1.1
2003-July-10 18:00 UTC (GMT)
Added 4.x, 6.1, 6.2 and 7.1 releases to the "Software Versions and Fixes" table
Revision 1.2
2003-July-14 20:30 UTC (GMT)
Added 5.1, 5.2, 5.3, 5.4, and 7.3 to the "Software Versions and Fixes" table
Revision 1.3
2003-July-15 20:30 UTC (GMT)
Added 7.5 and 7.6 to the "Software Versions and Fixes" table
Revision 1.4
2003-July-28 22:00 UTC (GMT)
Corrected description field for CatOS 7.1 in the "Software Versions and Fixes" table
Revision 1.5
2003-September-08 12:24 UTC (GMT)
Added 4.5 to the "Software Versions and Fixes" table
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.