Release Notes for Cisco IOS Release 12.2SY
Chronological List of Releases
Policy Feature Card Guidelines and Restrictions
Distributed and Centralized Forwarding Cards
Distributed Forwarding Card 4XL
Centralized Forwarding Card (WS-F6700-CFC)
10-Gigabit Ethernet Switching Modules
WS-X6908-10GE 8-Port 10-Gigabit Ethernet X2 Switching Module
WS-X6816-10T-2T, WS-X6716-10T 16-Port 10-Gigabit Ethernet Copper Switching Module
WS-X6816-10G-2T, WS-X6716-10G 16-Port 10-Gigabit Ethernet X2 Switching Module
WS-X6704-10GE 4-Port 10-Gigabit Ethernet XENPAK Switching Module
Gigabit Ethernet Switching Modules
WS-X6848-SFP-2T, WS-X6748-SFP 48-Port Gigabit Ethernet SFP Switching Module
WS-X6824-SFP-2T, WS-X6724-SFP 24-Port Gigabit Ethernet SFP Switching Module
10/100/1000 Ethernet Switching Modules
WS-X6848-TX-2T, WS-X6748-GE-TX
WS-X6148A-GE-TX, WS-X6148A-GE-45AF
WS-X6148-FE-SFP Fast Ethernet Switching Module
WS-X6148A-RJ-45, WS-X6148A-45AF 10/100 Ethernet Switching Modules
Power over Ethernet Daughtercards
Small Form-Factor Pluggable (SFP) Modules
Application Control Engine (ACE) Module
Firewall Services Module (FWSM)
Network Analysis Modules (NAMs)
Wireless Services Module (WiSM)
New Features in Release12.2(50)SY4
New Hardware Features in Release12.2(50)SY4
New Software Features in Release12.2(50)SY4
New Features in Release12.2(50)SY3
New Hardware Features in Release12.2(50)SY3
New Software Features in Release12.2(50)SY3
New Features in Release12.2(50)SY2
New Hardware Features in Release12.2(50)SY2
New Software Features in Release12.2(50)SY2
New Features in Release12.2(50)SY1
New Hardware Features in Release12.2(50)SY1
New Software Features in Release12.2(50)SY1
New Features in Release12.2(50)SY
New Hardware Features in Release12.2(50)SY
New Software Features in Release12.2(50)SY
Software Features from Earlier Releases
Open Caveats in Release12.2(50)SY and Rebuilds
Caveats Resolved in Release 12.2(50)SY4
Caveats Resolved in Release 12.2(50)SY3
Caveats Resolved in Release 12.2(50)SY2
Caveats Resolved in Release 12.2(50)SY1
Caveats Resolved in Release 12.2(50)SY
Additional Troubleshooting Information
System Software Upgrade Instructions
Obtaining Documentation and Submitting a Service Request
Note ● This publication applies to the Supervisor Engine 2T-10GE (CAT6000-VS-S2T-10G/MSFC5) platform.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_bulletin0900aecd804f0694.html
The most current version of this document is available on Cisco.com at this URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/release/notes/ol_20679.html
This publication consists of these sections:
These releases support the hardware listed in the “Supported Hardware” section:
– Date of release: 28 Feb 2013
– Based on Release 12.2(50)SY3
– Date of release: 14 Sep 2012
– Based on Release 12.2(50)SY2
– Date of release: 23 May 2012
– Based on Release 12.2(50)SY1
– Date of release: 30 Nov 2011
– Date of release: 29 Jun 2011
– Based on Release 12.2(33)SXI3
Note Release 12.2(50)SY supports only Ethernet ports. Release 12.2(50)SY does not support any WAN features or commands.
These sections describe the hardware supported in Release 12.2(50)SY and later releases:
Note Enter the show power command to display current system power usage.
Note For information about DRAM requirements on all supervisor engines, see this publication:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/qa_c67_457347.html
– Policy Feature Card 4XL (PFC4XL).
– Policy Feature Card 4 (PFC4).
See the “Policy Feature Cards” section.
– For CompactFlash Type II flash PC cards sold by Cisco Systems, Inc., for use in Supervisor Engine 2T-10GE.
– QoS architecture: 2q4t / 1p3q4t
– Ports 1, 2, and 3: Gigabit Ethernet SFP (fiber or 1000 Mbps RJ-45)
– Support for 10-Gigabit Ethernet X2 tranceivers
• With ports 1, 2, and 3 enabled: 2q4t / 1p3q4t
• With ports 1, 2, and 3 disabled: 8q4t / 1p7q4t
Note See the Supervisor Engine 2T-10GE Connectivity Management Processor Configuration Guide for information about the 10/100/1000 Mbps RJ-45 port.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/cmp_configuration/guide/sup2T_10GEcmp.html
Supervisor Engine 2T-10GE Restrictions
The defaults for XL mode are:
– IPv4 unicast and MPLS: 512,000 routes
– IPv4 multicast and IPv6 unicast and multicast: 256,000 routes
The defaults for Non-XL mode are:
– IPv4 unicast and MPLS: 192,000 routes
– IPv4 multicast and IPv6 unicast and multicast: 32,000 routes
Note The size of the global internet routing table plus any local routes might exceed the non-XL mode default partition sizes.
These are the theoretical maximum numbers of routes for the supported protocols (the maximums are not supported simultaneously):
– XL mode :
• IPv4 and MPLS: Up to 1,007,000 routes
• IPv4 multicast and IPv6 unicast and multicast: Up to 503,000 routes
– Non-XL mode :
• IPv4 and MPLS: Up to 239,000 routes
• IPv4 multicast and IPv6 unicast and multicast: Up to 119,000 routes
Enter the platform cef maximum-routes command to repartition the hardware FIB table. IPv4 unicast and MPLS require one hardware FIB table entry per route. IPv4 multicast and IPv6 unicast and multicast require two hardware FIB table entries per route. Changing the partition for one protocol makes corresponding changes in the partitions of the other protocols. You must enter the reload command to put configuration changes made with the platform cef maximum-routes command into effect.
Note With a non-XL-mode system, if your requirements cannot be met by repartitioning the hardware FIB table, upgrade components as necessary to operate in XL mode.
– PFC4 and DFC4—No restrictions (PFC4 mode).
– PFC4 and DFC4XL—The PFC4 restricts DFC4XL functionality: the DFC4XL functions as a DFC4 (PFC4 mode).
– PFC4XL and DFC4—PFC4XL functionality is restricted by the DFC4: after a reload with a DFC4-equipped module installed, the PFC4XL functions as a PFC4 (PFC4 mode).
Note ● See the “Policy Feature Cards” section for Policy Feature Cards (PFC) and Distributed Forwarding Card (DFC) restrictions.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Config_Notes/OL_24918.html
http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps11878/data_sheet_c78-648214.html
Note ● WS-X6908-10G and WS-X6908-10G-XL are the orderable product IDs.
8-port 10-Gigabit Ethernet X2 module |
||
(Has WS-F6K-DFC4-E) |
||
Note ● The orderable product IDs are:
16-port 10-Gigabit Ethernet copper (RJ-45) module – Oversubscription mode : 1p7q2t/1p7q4t |
||
(Must be upgraded with |
||
(Has WS-F6K-DFC4-E) |
||
(Must be upgraded with |
||
Note ● The orderable product IDs are:
16-port 10-Gigabit Ethernet X2 module – Oversubscription mode : 1p7q2t/1p7q4t – Performance mode: 8q4t/1p7q4t
|
||
(Must be upgraded with |
||
(Has WS-F6K-DFC4-E) |
||
(Must be upgraded with |
||
4-port 10-Gigabit Ethernet XENPAK
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_12409.html
|
||
48-port Gigabit Ethernet SFP
|
||
(has WS-F6K-DFC4-A) |
||
24-port Gigabit Mbps Ethernet SFP
|
||
(Has WS-F6K-DFC4-A) |
||
These sections descibe the supported 10/100/1000 Ethernet switching modules:
|
||
(has WS-F6K-DFC4-A) |
||
|
||
|
||
|
||
Note The power over Ethernet (PoE) daughtercard “Power Required” values do not include the power drawn by phones.
Note ● WS-X6716-10GE do not support X2 modules that are labeled with a number that ends with -01. (This restriction does not apply to X2-10GB-LRM.)
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6574/product_data_sheet0900aecd801f92aa.html
SFP-H10GB-CU1M—1m Twinax cable, passive, 30AWG cable assembly |
|||
SFP-H10GB-CU3M—3m Twinax cable, passive, 30AWG cable assembly |
|||
SFP-H10GB-CU5M—5m Twinax cable, passive, 24AWG cable assembly |
|||
10GBASE-ER Serial 1550-nm extended-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) Note X2-10GB-ER modules labeled with a number that ends with -02 do not provide EMI compliance with WS-X6716-10GE. |
|||
10GBASE-LR Serial 1310-nm long-reach, single-mode fiber (SMF), dispersion-shifted fiber (DSF) Note X2-10GB-LR modules labeled with a number that ends with -02 or -03 do not provide EMI compliance with WS-X6716-10GE. |
|||
10GBASE-LX4 Serial 1310-nm multimode (MMF) http://www.cisco.com/en/US/ts/fn/misc/FN62840.html
|
|||
Note ● For information about DWDM XENPAKs, see the Cisco 10GBase DWDM XENPAK Modules data sheet:
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6576/product_data_sheet0900aecd801f9333.html
http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps5138/product_data_sheet09186a008007cd00_ps5251_Products_Data_Sheet.html
Note ● For information about coarse wavelength-division multiplexing (CWDM) SFPs, see the Cisco CWDM GBIC and SFP Solutions data sheet:
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6575/product_data_sheet09186a00801a557c_ps4999_Products_Data_Sheet.html
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6576/product_data_sheet0900aecd80582763.html
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet0900aecd8033f885.html
Note ● The WS-X6148-FE-SFP supports Fast Ethernet SFPs.
http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6578/product_data_sheet0900aecd801f931c.html
Note GLC-GE-100FX Fast Ethernet SFPs are not supported.
Note ● For service modules that run their own software, see the service module software release notes for information about the minimum required service module software version.
http://www.cisco.com/en/US/ts/fn/610/fn61935.html
ACE20-MOD-K9 run their own software—See these publications: http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html See the ACE20-MOD-K9 software release notes for information about the minimum required service module software version. |
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html See the WS-SVC-FWM-1-K9 software release notes for information about the minimum required WS-SVC-FWM-1-K9 software version. |
NAM modules run their own software—See these publications for more information:
See the software release notes for information about the minimum required NAM software version. |
WS-SVC-WISM-1-K9 runs its own software—See these publications: http://www.cisco.com/en/US/products/ps6526/tsd_products_support_eol_model_home.html See the WS-SVC-WISM-1-K9 software release notes for information about the minimum required WS-SVC-WISM-1-K9 software version. |
Note The power supplies in this section are not supported in these chassis:
– Before April 2009—1024 chassis MAC addresses – Starting in April 2009—64 chassis MAC addresses Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology. |
||
– Before April 2009—1024 chassis MAC addresses – Starting in April 2009—64 chassis MAC addresses Note Chassis with 64 MAC addresses automatically enable the Extended System ID feature, which is enabled with the spanning-tree extend system-id command. You cannot disable the extended-system ID in chassis that support 64 MAC addresses. The Extended System ID feature might already be enabled in your network, because it is required to support both extended-range VLANs and any chassis with 64 MAC addresses. Enabling the extended system ID feature for the first time updates the bridge IDs of all active STP instances, which might change the spanning tree topology. |
||
|
||
Release 12.2SY supports only the hardware listed in the “Supported Hardware” section. Unsupported modules remain powered down if detected and do not affect system behavior.
Release 12.2SX supported these modules, which are not supported in Release 12.2SY:
Use Cisco Feature Navigator to display information about the images and feature sets in Release 12.2(50)SY.
The releases includes strong encryption images. Strong encryption images are subject to U.S. and local country export, import, and use laws. The country and class of end users eligible to receive and use Cisco encryption solutions are limited. See this publication for more information:
http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html
The Universal Boot Loader (UBL) image is a minimal network-aware image that can download and install a Cisco IOS image from a running active supervisor engine in the same chassis. When newly installed as a standby supervisor engine in a redundant configuration, a supervisor engine running the UBL image automatically attempts to copy the image of the running active supervisor engine in the same chassis.
SX SY ISSU Compatibility Matrix (also known as the EFSU compatibility matrix)
Behavior changes describe the minor modifications that are sometimes introduced in a software release. When behavior changes are introduced, existing documentation is updated.
These sections describe the new features in Release 12.2(50)SY4, 28 Feb 2013:
These sections describe the new features in Release 12.2(50)SY3, 14 Sep 2012:
These sections describe the new features in Release 12.2(50)SY2, 23 May 2012:
These sections describe the new features in Release 12.2(50)SY1, 30 Nov 2011:
These sections describe the new features in Release 12.2(50)SY, 29 Jun 2011:
Release 12.2(50)SY supports the hardware listed in the “Supported Hardware” section. The following hardware is supported for the first time in Release 12.2(50)SY:
– WS-X6908-10G-XL (has WS-F6K-DFC4-EXL)
– WS-X6908-10G (has WS-F6K-DFC4-E)
Note Some switching modules previously supported with a DFC3 can be ordered with a DFC4:
Note On Sup2T (EARL8) new MAC learns for routed frames may not immediately be synced across all DFCs. When New MAC learns for routed frames, no FF is created. As a result, the MAC table between DFCs in the system may be out of sync until software synchronization performs an update (approximately 160 seconds). As a workaround, "platform mac address-table synchronize learn layer3" was added to enable Supervisor2T to learn new MACs (and MAC moves) on routed traffic. This command is disabled by default.
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sy/ip6-sec-trfltr-fw.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/qos_policy_based_queueing.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/introduction.html#Blue_Beacon
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/callhome.html#Configuring_a_Destination_Profile_for_Email
http://www.cisco.com/en/US/docs/ios/ipswitch/configuration/guide/cef_snmp_mib.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/ident-conn_config.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/ident-conn_config.html
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_urpf_mib.html
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cns_services.html
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cns_services.html
http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/configuration/12-2sy/nm-snmp-cfg-snmp-support.html
http://www.cisco.com/en/US/docs/ios/cether/configuration/guide/ce_cfm_y1731.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/control_plane_policing_copp.html#CoPP_for_multicast
http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/12-2sy/config-cpu-fne.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/dynamic_arp_inspection.html#Configuring_DAI_Hardware_Acceleration
http://www.cisco.com/en/US/docs/ios-xml/ios/sys-image-mgmt/configuration/12-2sy/sysimgmgmt-12-2sy-book.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/qos_class_mark_police.html#Distributed_Aggregate_Policers
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/diagnostic_tests.html
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview.html
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_cli.html
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl.html
http://www.cisco.com/en/US/docs/ios/cether/configuration/guide/ce_cfm.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/ethernet_virtual_connection.html
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/get_start_cfg_fnflow.html
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cust_fnflow_rec_mon.html
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cgf-mcast.html
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cust_fnflow_rec_mon.html
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cfg_de_fnflow_exprts.html
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cfg_de_fnflow_exprts.html
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/use_fnflow_redce_cpu.html
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cgf-topn.html
HA SSO and RPR support—See this publication:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/fast_software_upgrade.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/ipv4_multicast.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/ios_acl_support.html#Hitless_ACL_Update
http://www.cisco.com/en/US/docs/ios-xml/ios/https/configuration/12-2sy/nm-http-web.html
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_hvpls_npe_red.html
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_hvpls_npe_red.html
http://www.cisco.com/en/US/docs/ios-xml/ios/cether/configuration/12-2sy/ce-cfm-ieee.html
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/ipv4_igmp_snooping.html
http://www.cisco.com/en/US/docs/ios/ipsla/configuration/guide/sla_lsp_mon_autodisc.html
http://www.cisco.com/en/US/docs/ios/ipsla/configuration/guide/sla_metro_ethernet.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/ip_source_guard.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sy/ip6-mng-apps.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sy/ip6-mng-apps.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sy/ip6-mng-apps.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sy/ip6-mng-apps.html
http://www.cisco.com/en/US/docs/ios/ipsla/configuration/guide/sla_udp_echo.html
http://www.cisco.com/en/US/docs/ios/ipsla/configuration/guide/sla_tcp.html
http://www.cisco.com/en/US/docs/ios/ipsla/configuration/guide/sla_icmp_echo.html
http://www.cisco.com/en/US/docs/ios/ipsla/configuration/guide/sla_udp_jitter.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sy/ip6-mng-apps.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sy/ip6-mng-apps.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sy/ip6-mng-apps.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/ios_acl_support.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sy/ip6-multicast.html
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-0sy/ip6-addrg-bsc-con.html
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/configuring_interfaces.html#Configuring_Jumbo_Frame_Support
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/L2omGRE.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/ios_acl_support.html#Dry_Run_Support_for_ACLs
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/ios_acl_support.html#Configuring_MAC_ACLs
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/12-2sy/ip6-multicast.html
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/get_start_cfg_fnflow.html
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_pw_status.html
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_te_path_prot.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/qos_policy_based_queueing.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/introduction.html#Multicast_Bidirectional_PIM_support_for_8_Rendezvous_Points_(RP)_in_Hardware
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/ipv4_multicast.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/ipv6_multicast.html
http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/ios_netflow_roadmap.html
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_trnsprt_mlps_atom.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_resil/configuration/12-2sy/imc-resil-12-2sy-book.html
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_vpls_atom.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/onboard_failure_logging.html
http://www.cisco.com/en/US/docs/ios-xml/ios/interface/command/ir-o1.html#GUID-464753DB-036E-4225-9AF9-2580245E747E
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/control_plane_policing_copp.html#Packet_Based_CoPP
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/port_security.html#Packets_dropped_in_hardware_on_source-miss_for_port-security_violation
http://www.cisco.com/en/US/docs/ios/ipmulti/configuration/guide/imc_monitor_maint.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/qos_class_mark_police.html#Understanding_Policing
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/virtual_switching_systems.html#Configuring_Port_Load_Share_Deferral_on_the_Peer_Switch
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/port_security.html#Port_Security_on_Etherchannel_Trunk_Port
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/qos_class_mark_police.html#Understanding_Traffic_Classification
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/qos_restrictions.html#QOS_support_for_IGMP_MLD_and_PIM_frames
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/diagnostic_tests.html
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_shell_v2.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/ios_acl_support.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/arch_over.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/ident-conn_config.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/sxp_config.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/arch_over.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/ident-conn_config.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/arch_over.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/sxp_config.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/arch_over.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/arch_over.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/sxp_config.html
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cust_fnflow_rec_mon.html
http://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/cust_fnflow_rec_mon.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/arch_over.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/ident-conn_config.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/arch_over.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/ident-conn_config.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/ident-conn_config.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/arch_over.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/15-1s/cts-sgt-handling-imp-fwd.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/sxp_config.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/denial_of_service.html#Unicast_Reverse_Path_Forwarding_for_IPv6
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-0sy/ip6-addrg-bsc-con.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/denial_of_service.html#uRPF_16_path_support
Virtual Private LAN Services (VPLS)—See this publication:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/vpls.html
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_hvpls_npe_red.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/vpls.html#VPLS_QoS_Support
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage.html
http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/Cisco_IOS_Configuration_Fundamentals_Command_Reference.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/virtual_switching_systems.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-2sy/iap-wccp.html
WCCP: VRF Support—See this publication:
http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-2sy/iap-wccp.html
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cfg_wsma.html
Web Services Management Agent with TLS—See this publication:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cfg_wsma.html
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_xmlpi_v1.html
Use Cisco Feature Navigator to display supported features that were introduced in earlier releases.
Release 12.2(50)SY does not support mls commands or mls as a keyword. See this document for a list of some of the mls commands that have been replaced:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/replacement_commands.html
Note Some of the replacement commands implemented in Release 12.2(50)SY support different keyword and parameter values than those supported by the Release 12.2SX commands.
Note The IPsec Network Security feature (configured with the crypto ipsec command) is not supported.
These features are not supported in Release 12.2(50)SY:
Note Release 12.2(50)SY supports server load balancing (SLB) as implemented on the Application Control Engine (ACE) module (ACE20-MOD-K9).
Note Release 12.2(50)SY supports the SPAN and VACL redirect features, which have equivalent functionality.
Note Release 12.2(50)SY supports IEEE 802.1Q trunking.
Note Release 12.2(50)SY supports these spanning tree protocols:
—Rapid Spanning Tree Protocol (RSTP):
• spanning-tree mode rapid-pvst global configuration mode command
• Enabled by default
—Multiple Spanning Tree Protocol (MSTP):
• spanning-tree mode mst global configuration mode command
• Can be enabled
Note Release 12.2(50)SY supports the Firewall Services Module (WS-SVC-FWM-1-K9).
The Cisco IOS Software implementation of the virtual routing and forwarding (VRF) aware network address translation (NAT) feature contains a vulnerability when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-nat
Note: The March 27, 2013, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2013 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar13.html
The Cisco IOS Software Network Address Translation (NAT) feature contains two denial of service (DoS) vulnerabilities in the translation of IP packets.
The vulnerabilities are caused when packets in transit on the vulnerable device require translation.
Cisco has released free software updates that address these vulnerabilities. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-nat
Note: The September 26, 2012, Cisco IOS Software Security Advisory bundled publication includes 9 Cisco Security Advisories. Eight of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2012 bundled publication.
Individual publication links are in the “Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep12.html
Other Caveats Resolved in Release 12.2(50)SY3
Resolved Infrastructure Caveats
Summary A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.
Products that are not running Cisco IOS software are not vulnerable.
Cisco has released free software updates that address these vulnerabilities.
The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 8.5/7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-0384 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Summary A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp
Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-0382 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
The Cisco IOS Software Internet Key Exchange (IKE) feature contains a denial of service (DoS) vulnerability.
Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ike
Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.
Individual publication links are in “Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
Other Caveats Resolved in Release 12.2(50)SY2
Symptoms: Memory increase occurs in ‘BGP Router’ process due to BGP path attributes. Memory used by this process increases constantly and so do the BGP path attributes while the number of routes does not increase.
Conditions: This issue occurs with continuous churn in the network such that BGP never manages to converge and when the paths churning do not reuse the existing path attributes. This cause those paths to allocate new path attributes.
Workaround: Reload the router if low memory conditions are reached or identify the root cause of the churn and attempt to fix that.
Further Problem Description: Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to exhaust the memory of an affected device.
The vulnerability is due to BGP code, when processing BGP path attributes. An attacker could exploit this vulnerability by causing path instability in the BGP environment. An exploit could allow the attacker to deplete the memory of the affected device.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2012-5039 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Summary A vulnerability exists in the Cisco IOS software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device.
Products that are not running Cisco IOS software are not vulnerable.
Cisco has released free software updates that address these vulnerabilities.
The HTTP server may be disabled as a workaround for the vulnerability described in this advisory.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 8.5/7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-0384 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Summary: A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp
Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C CVE ID CVE-2012-0382 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
The Cisco IOS Software Internet Key Exchange (IKE) feature contains a denial of service (DoS) vulnerability.
Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ike
Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication.
Individual publication links are in “Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
The Cisco IOS Software network address translation (NAT) feature contains multiple denial of service (DoS) vulnerabilities in the translation of the following protocols:
NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)
Session Initiation Protocol (Multiple vulnerabilities)
H.323 protocol
All the vulnerabilities described in this document are caused by packets in transit on the affected devices when those packets require application layer translation.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-nat
Symptoms: Configuring an event manager policy may cause a cisco Router to stop responding.
Conditions: This issue is seen when a TCL policy is configured and copied to the device.
Workaround: There is no workaround.
Symptom: Slow processor memory leak seen in TCP Protocols
Conditions: This is only found in 12.2(33)SXI4 and later. A block of memory will be leaked every time a user creates an exec session to the router.
Further Problem Description: Cisco IOS Software contains a vulnerability that could allow an authenticated, remote attacker to exhaust the memory of an affected device.
The vulnerability is due to new code introduced into the 12.2XSH and 12.2SXI trains. An attacker could exploit this vulnerability by repeatedly making a VTY management session to the device. An exploit could allow the attacker to exhaust the available memory of the device resulting in a denial of service.
Affected Releases: 12.2(33)SXH8 12.2(33)SXH8a 12.2(33)SXH8b 12.2(33)SXI4 12.2(33)SXI4a 12.2(33)SXI5 12.2(33)SXI5a 12.2(33)SXJ 12.2(50)SY
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2012-5036 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Other Caveats Resolved in Release 12.2(50)SY1
Symptom: Memory leak in AAA attributes and router crashed.
Condition: The root cause for this leak is due to the fall back method ‘enable’ configured in the EOU method list:
Work around: Do not use enable or line as AAA fall back methods in the corresponding method lists.
Symptoms: Router reloads after authentication attempt fails on console.
Conditions: Occurs while performing AAA accounting. The accounting structure was freed twice, which results in crash. Occurs when the aaa accounting send stop-record authentication failure command is configured, which sends a stop record for authentication failure.
Workaround: Remove the aaa accounting send stop-record authentication failure command.
Symptom: Router crashes For Authentication RESPONSE with GETUSER and when getuser-header-flags is modified and sent.
Conditions: TACACS single-connection is configured. When authorization is configured Telnet to router and removing authorization,telnet to router again.
Workaround: Do not use TACACS single-connection option.
The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a vulnerability that could allow authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are authorized to do, per the CLI view configuration. This vulnerability could allow valid users to retrieve or write to any file on the device’s file system, including the device’s saved configuration and Cisco IOS image files, even if the CLI view attached to the user does not allow it. This configuration file may include passwords or other sensitive information.
The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a fundamental component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by default. Devices that are not specifically configured to enable the Cisco IOS SCP server, or that are configured to use it but do not use role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client feature.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available for this vulnerability apart from disabling either the SCP server or the CLI view feature if these services are not required by administrators.
This advisory is posted at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-scp.
Symptoms: A privilege level 1 user is able to log in with a higher privilege level.
Conditions: This symptom is observed on a Cisco platform when the aaa new-model command is enabled, when the privilege level level command is present under the vty lines, and when the level argument has any value from 2 through 15.
Workaround: Do not configure privilege level 1 but configure any other privilege level.
Symptoms: When no aaa new-model is configured, authentication happens through the local even when tacacs is configured. This happens for the exec users under vty configuration.
Conditions: Configure no aaa new-model, configure login local under line vty 0 4 and configure login tacacs under line vty 0 4.
Workaround: There is no workaround.
Symptoms: Users may be able to access root view mode (privilege level) 15 without entering a password.
Conditions: This symptom is observed on a Cisco router that has the Role-Based CLI Access feature enabled and occurs when the none keyword is enabled in the default login method list.
For example, the symptom may occur when you enter the aaa authentication login default group tacacs+ none. When the TACACS+ server is down, users are allowed to enter non-privileged mode. However, users can also access the root view through the enable view command without having to enter a password.
Workaround: Ensure that the none keyword is not part of the default login method list.
Further Problem Description: The fix for this caveat places the authentication of the enable view command in the default login method list.
Symptom: When accessing VTY lines configured for TACACS AAA authentication, the remote access session will not get access to the device.
Conditions: If using TACACS for VTY user authentication the remote access session will stop being processed after the username and password have been entered. Operation of the device continues as per normal, just the remote VTY session can not be used.
Workaround: Local Authentication or RADIUS could be used as a workaround.
Symptom: Cisco IOS device may reload in very rare circumstances after receiving certain packets. The BFD process may restart due to a critical software exception.
Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.
Workarounds are available to help mitigate this vulnerability.
This issue is triggered by a logic error when processing extended communities on the PE device.
This issue cannot be deterministically exploited by an attacker.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-vpn
Recent research (1) has shown that it is possible to cause BGP sessions to remotely reset by injecting invalid data, specifically AS_CONFED_SEQUENCE data, into the AS4_PATH attribute provided to store 4-byte ASN paths. Since AS4_PATH is an optional transitive attribute, the invalid data will be transited through many intermediate ASes which will not examine the content. For this bug to be triggered, an operator does not have to be actively using 4-byte AS support.
The root cause of this problem is the Cisco implementation of RFC 4893 (4-byte ASN support) - this RFC states that AS_CONFED_SEQUENCE data in the AS4_PATH attribute is invalid. However, it does not explicitely state what to do if such invalid data is received, so the Cisco implemention of this RFC sends a BGP NOTIFICATION message to the peer and the BGP session is terminated.
RFC 4893 is in the process of getting updated to avoid this problem, and the fix for this bug implements the proposed change. The proposed change is as follows:
“To prevent the possible propagation of confederation path segments outside of a confederation, the path segment types AS_CONFED_SEQUENCE and AS_CONFED_SET [RFC5065] are declared invalid for the AS4_PATH attribute. A NEW BGP speaker MUST NOT send these path segment types in the AS4_PATH attribute of an UPDATE message. A NEW BGP speaker that receives these path segment types in the AS4_PATH attribute of an UPDATE message MUST discard these path segments, adjust the relevant attribute fields accordingly, and continue processing the UPDATE message.”
The only affected version of Cisco IOS that supports RFC 4893 is 12.0(32)S12, released in December 2008.
(1) For more information please visit:
http://www.merit.edu/mail.archives/nanog/msg14345.html
Symptom: A Cisco IOS device that receives a BGP update message and as a result of AS prepending needs to send an update downstream that would have over 255 AS hops will send an invalid formatted update. This update when received by a downstream BGP speaker triggers a NOTIFICATION back to the sender which results in the BGP session being reset.
Conditions: This problem is seen when a Cisco IOS device receives a BGP update and due to a combination of either inbound, outbound, or both AS prepending it needs to send an update downstream that has more than 255 AS hops.
Workaround: The workaround is to implement bgp maxas-limit X on the device that after prepending would need to send an update with over 255 AS hops. Since IOS limits the route-map prepending value to 10 the most that could be added is 21 AS hops (10 on ingress, 10 on egress, and 1 for normal eBGP AS hop addition). Therefore, a conservative value to configure would be 200 to prevent this condition.
Recent versions of Cisco IOS Software support RFC4893 (“BGP Support for Four-octet AS Number Space”) and contain two remote denial of service (DoS) vulnerabilities when handling specific Border Gateway Protocol (BGP) updates.
These vulnerabilities affect only devices running Cisco IOS Software with support for four-octet AS number space (here after referred to as 4-byte AS number) and BGP routing configured.
The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems.
The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.
Cisco has released free software updates to address these vulnerabilities.
No workarounds are available for the first vulnerability.
A workaround is available for the second vulnerability.
This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090729-bgp
Symptom: On c7600 router with DHCP Relay agent configured on unnumbered Vlan interface, DHCP packets (DHCP ACK / DHCP OFFER), comming from the DHCP server, can be padded with random bits of data and packet lenght field is not updated.ng too.
Conditions: DHCP Relay is configured on Vlan interface with “ip helper address”
Workaround: Disable DHCP Snooping
Resolved c7600-portsecur Caveats
Symptom: When a switchport is configured for port-security feature and line rate traffic of a highly scaled mac-addresses is sent (more than 4k). The the router crashes due to all layer2 traffic getting punted to SP (switch processor).
Conditions: port-security feature is enabled.
Workaround: user must rate-limit the Layer 2 data using following command mls rate-limit layer2 port-security 5000
Resolved c7600-sip-600 Caveats
Symptom: Unicast traffic originating from a SPA card may not be encrypted
Condition: Traffic originates from a SPA card in a SIP-600. Outbound traffic is configured for GRE with tunnel protection.
Resolved cat6000-l2-infra Caveats
Symptoms: Two subinterfaces may have the same CEF interface index.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router when the following configuration sequence occurs:
1) Create subinterface 1, 2, and 3.
In this situation, subinterface 1 and 4 may have the same CEF IDB.
Workaround: There is no workaround. You must reload the platform to clear the symptoms.
Resolved cat6000-mcast Caveats
Symptom: Bus error crash (signal 10) seen after the following error message:
Conditions: This has been observed on a Catalyst6500 running IOS version 12.2(18)SXF1.
Workaround: A workaround exist to disable ipv6 mld snooping via the command no ipv6 mld snooping.
There is no negative impact of implementing the workaround as long as there is no IPV6 multicast traffic in the network.
Symptom: A Cisco IOS device supporting IPv6 MLD may crash with a data bus error exception and stack trace PC = 0xA0000100
Conditions: Device is running normal production traffic. Presence of malformed MLD packet in this network caused the issue.
Workaround: Disabling MLD snooping on the VLAN or globally on the box will stop the crash.
Certain Cisco Catalyst 6500 Series and Cisco 7600 Router devices that run branches of Cisco IOS based on 12.2 can be vulnerable to a denial of service vulnerability that can prevent any traffic from entering an affected interface. For a device to be vulnerable, it must be configured for Open Shortest Path First (OSPF) Sham-Link and Multi Protocol Label Switching (MPLS) Virtual Private Networking (VPN). This vulnerability only affects Cisco Catalyst 6500 Series or Catalyst 7600 Series devices with the Supervisor Engine 32 (Sup32), Supervisor Engine 720 (Sup720) or Route Switch Processor 720 (RSP720) modules. The Supervisor 32, Supervisor 720, Supervisor 720-3B, Supervisor 720-3BXL, Route Switch Processor 720, Route Switch Processor 720-3C, and Route Switch Processor 720-3CXL are all potentially vulnerable.
OSPF and MPLS VPNs are not enabled by default.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-queue
Cisco Catalyst 6500, 6500 series and Cisco 7600 series that have a Network Analysis Module installed are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that run Internetwork Operating System (IOS) or Catalyst Operating System (CatOS).
Cisco has made free software available to address this vulnerability for affected customers.
A Cisco Security Advisory for this vulnerability is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070228-nam
Cisco Catalyst 6500, 6500 series and Cisco 7600 series that have a Network Analysis Module installed are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that run Internetwork Operating System (IOS) or Catalyst Operating System (CatOS).
Cisco has made free software available to address this vulnerability for affected customers.
A Cisco Security Advisory for this vulnerability is posted at
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070228-nam
Resolved cat6000-sw-fwding Caveats
Symptoms: Cisco Catalyst 6500 and Cisco 7600 modules are reachable via 127.0.0.x addresses.
Conditions: Cisco Catalyst 6500 and Cisco 7600 series devices use addresses from the 127.0.0.0/8 (loopback) range in the Ethernet Out-of-Band Channel (EOBC) for internal communication.
Addresses from this range that are used in the EOBC on Cisco Catalyst 6500 and Cisco 7600 series devices are accessible from outside of the system. The Supervisor module, Multilayer Switch Feature Card (MSFC), or any other intelligent module may receive and process packets that are destined for the 127.0.0.0/8 network. An attacker can exploit this behavior to bypass existing access control lists; however, an exploit will not allow an attacker to bypass authentication or authorization. Valid authentication credentials are still required to access the module in question.
Per RFC 3330, a packet that is sent to an address anywhere within the 127.0.0.0/8 address range should loop back inside the host and should never reach the physical network. However, some host implementations send packets to addresses in the 127.0.0.0/8 range outside their Network Interface Card (NIC) and to the network. Certain implementations that normally do not send packets to addresses in the 127.0.0.0/8 range may also be configured to do so..
Destination addresses in the 127.0.0.0/8 range are not routed on the Internet. This factor limits the exposure of this issue.
This issue is applicable to systems that run Hybrid Mode (Catalyst OS (CatOS) software on the Supervisor Engine and IOS Software on the MSFC) and Native Mode (IOS Software on both the Supervisor Engine and the MSFC).
Workaround: Administrators can apply an access control list that filters packets to the 127.0.0.0/8 address range to interfaces where attacks may be launched.
Control Plane Policing (CoPP) can be used to block traffic with a destination IP address in the 127.0.0.0/8 address range sent to the device. Cisco IOS Software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks. CoPP protects the management and control planes by explicitly permitting only authorized traffic that is sent to infrastructure devices in accordance with existing security policies and configurations.
Additional information on the configuration and use of the CoPP feature is available at the following links:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html
Infrastructure Access Control Lists (iACLs) are also considered a network security best practice and should be considered as, long-term additions to effective network security as well as a workaround for this specific issue. The white paper entitled “Protecting Your Core: Infrastructure Protection Access Control Lists” presents guidelines and recommended deployment techniques for infrastructure protection ACLs. The white paper is available at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Symptoms: Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behaviour by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.
Conditions: This issue occurs in IOS images that has the fix for CSCse85200.
Workaround: Disable CDP on interfaces where CDP is not required.
Further Problem Description: Because CDP is a Layer-2 protocol, the symptom can only be triggered by routers that reside on the same network segment.
Symptom: An IOS software crash may occur when receiving a specific malformed DHCP packet.
Conditions: An IOS device configured for DHCP Server and receives a DHCP-request from a DHCP relay device. A specific malformed option in the packet packet may induce a software traceback or crash. The specific packet will not occur without manual modification.
A router that has DHCP server enabled could reload after receiving a malformed UDP packet.
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070110-dlsw
Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-dlsw
Symptom: Cisco IOS router may crash after receiving malformed EIGRP packets.
Workaround: Only allow EIGRP packet from trusted neighbours.
Symptom: Processing of certain external routes with eigrp is not correct. The external information, i.e. originating router id, originating protocol ect is 0
Symptom: Router running IPv6 in IP tunnelling may reload upon receiving a malformed packet.
Conditions: Router needs to be configured for IPv6 in IP tunneling.
A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.
Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20051201-http
Symptom: The Cisco IOS HTTP server and the Cisco IOS HTTPS server provide web server functionality to be used by other Cisco IOS features that require it to function. For example, embedded device managers available for some Cisco IOS devices need the Cisco IOS HTTP server or the Cisco IOS HTTPS server to be enabled as a prerequisite.
One of the functionalities provided by the Cisco IOS HTTP server and the Cisco IOS HTTPS server is the WEB_EXEC module, which is the HTTP-based IOS EXEC Server. The WEB_EXEC module allows for both “show” and “configure” commands to be executed on the device through requests sent over the HTTP protocol.
Both the Cisco IOS HTTP server and the Cisco IOS HTTPS server use the locally configured enable password (configured by using the enable password or enable secret commands) as the default authentication mechanism for any request received. Other mechanisms can also be configured to authenticate requests to the HTTP or HTTPS interface. Some of those mechanisms are the local user database, an external RADIUS server or an external TACACS+ server.
If an enable password is not present in the device configuration, and no other mechanism has been configured to authenticate requests to the HTTP interface, the Cisco IOS HTTP server and the Cisco IOS HTTPS server may execute any command received without requiring authentication. Any commands up to and including commands that require privilege level 15 might then be executed on the device. Privilege level 15 is the highest privilege level on Cisco IOS devices.
Conditions: For a Cisco IOS device to be affected by this issue all of the following conditions must be met:
– An enable password is not present in the device configuration
– Either the Cisco IOS HTTP server or the Cisco IOS HTTPS server is enabled
– No other authentication mechanism has been configured for access to the Cisco IOS HTTP server or Cisco IOS HTTPS server. Such mechanisms might include the local user database, RADIUS (Remote Authentication Dial In User Service), or TACACS+ (Terminal Access Controller Access-Control System)
The Cisco IOS HTTP server is enabled by default on some Cisco IOS releases.
Workaround: Any of the following workarounds can be implementd:
– Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an enable password
Customers requiring the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server must configure an authentication mechanism for any requests received. One option is to use the enable password or enable secret commands to configure an enable password. The enable password is the default authentication mechanism used by both the Cisco IOS HTTP server and the Cisco IOS HTTPS server if no other method has been configured.
In order to configure an enable password by using the enable secret command, add the following line to the device configuration:
Replace mypassword with a strong password of your choosing. For guidance on selecting strong passwords, please refer to your site security policy. The document entitled “Cisco IOS Password Encryption Facts” explains the differences between using the enable secret and the enable password commands to configure an enable password. This document is available at the following link: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml
– Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an authentication mechanism other than the default
Configure an authentication mechanism for access to the Cisco IOS HTTP server or the Cisco IOS HTTPS server other than the default. Such authentication mechanism can be the local user database, an external RADIUS server, an external TACACS+ server or a previously defined AAA (Authentication, Authorization and Accounting) method. As the procedure to enable an authentication mechanism for the Cisco IOS HTTP server and the Cisco IOS HTTPS server varies across Cisco IOS releases and considering other additional factors, no example will be provided. Customers looking for information about how to configure an authentication mechanism for the Cisco IOS HTTP server and for the Cisco IOS HTTPS server are encouraged to read the document entitled “AAA Control of the IOS HTTP Server”, which is available at the following link: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
– Disabling the Cisco IOS HTTP Server and/or the Cisco IOS HTTPS server functionality
Customers who do not require the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server can disable it by adding the following commands to the device configuration:
no ip http server no ip http secure-server
The second command might return an error message if the Cisco IOS version installed and running on the device does not support the HTTPS server feature. This error message is harmless and can safely be ignored.
Please be aware that disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server may impact other features that rely on it. As an example, disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server will disable access to any embedded device manager installed on the device.
Further Problem Description: In addition to the explicit workarounds detailed above it is highly recommended that customers limit access to Cisco IOS HTTP server and the Cisco IOS HTTPS server to only trusted management hosts. Information on how to restrict access to the Cisco IOS HTTP server and the Cisco IOS HTTPS server based on IP addresses is available at the following link: http://www.cisco.com/en/US/docs/ios-xml/ios/https/configuration/12-4/nm-http-web.html#GUID-BB57C0D5-71DB-47C5-9C11-8146773D1127
Customers are also advised to review the “Management Plane” section of the document entitled “Cisco Guide to Harden Cisco IOS Devices” for additional recommendations to secure management connections to Cisco IOS devices. This document is available at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Symptom: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.
The Cisco Security Response is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http
Conditions: See “Additional Information” section in the posted response for further details.
Workarounds: See “Workaround” section in the posted response for further details.
Symptom: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.
The Cisco Security Response is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http
Conditions: See “Additional Information” section in the posted response for further details.
Workarounds: See “Workaround” section in the posted response for further details.
Symptom: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.
The Cisco Security Response is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http
Conditions: See “Additional Information” section in the posted response for further details.
Workarounds: See “Workaround” section in the posted response for further details.
Symptoms: Syslog displays password when copying the configuration via FTP.
Conditions: This symptom occurs when copying via FTP. The Syslog message displays the password given by the user as part of syntax of FTP copy.
Workaround: There is no workaround.
Resolved ios-authproxy Caveats
The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.
Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.
Only devices running certain versions of Cisco IOS are affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20050907-auth_proxy
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-auth-proxy
Resolved ios-firewall-aic Caveats
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
– Session Initiation Protocol (SIP)
– Media Gateway Control Protocol (MGCP)
– Signaling protocols H.323, H.254
– Real-time Transport Protocol (RTP)
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-IOS-voice.
Symptom: If an ACL is edited using sequence numbers in RPR or SSO mode, any subsequent supervisor switchover or reset of the standby can cause configuration errors on the standby. As a result, if the standby ever becomes active, the running security ACL configuration may not be correct.
Conditions: An ACL must be configured on the primary RPR, then a switchover must be made to the secondary RPR.
Workaround: Check config after every RPR switchover to ensure corruption did not occur - reconfigure if needed.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C
CVE ID CVE-2011-0955 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Symptoms: A router may reload after reporting SYS-3-OVERRUN or SYS-3-BADBLOCK error messages. SYS-2-GETBUF with ‘Bad getbuffer’ error may also be reported.
Condition: Occurs when PIM auto-RP is configured and IP multicast boundary is enabled with the filter-autorp option.
Workaround: Configure IP multicast boundary without the filter-autorp option.
Symptoms: MSFC crashes with Red Zone memory corruption.
Conditions: This problem is seen when processing an Auto-RP packet and NAT is enabled.
Workaround: There is no workaround.
Symptom: IOS device may reload unexpectedly
Conditions: The Multicast Routing Monitor (MRM) feature must be enabled and corrupted traffic is received by the MRM responder.
Workarounds: Disable the MRM feature,
Symptom: Used Processor Memory increasing day by day
Conditions: IPSec connection is configured, device using VPN Service Module.
Workaround: Only reload the router.
Symptom: When a Phase 1 SA (MM or AM) is being setup and the client does quick retransmissions within a window of one second, the server stops the restransmission timer for the SA. If the client stops retransmissions or further message afterwards, SA on server side is leaked forever (until the lifetime timer expires).
Workaround: Clear isakmp sa manually.
Symptoms: If a spoke cannot complete IKE phase I because of a bad certificate, the failed IKE sessions may not be deleted on an IPSec/IKE responder. Such failed sessions may accumulate, eventually causing router instability. These failed sessions can be seen in the output of the show crypto isakmp sa | i MM command:
Conditions: These symptoms are observed when RSA signatures are used as the authentication method.
Symptoms: The Cisco IOS may experience high CPU utilization.
Conditions: ISAKMP is enabled.
Further Information: This issue can occur if the Cisco IOS device processes a malformed IKE message.
Cisco IOS devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-ipsec
Symptoms: A device that is running Cisco IOS software may crash during processing of an Internet Key Exchange (IKE) message.
Conditions: The device must have a valid and complete configuration for IPsec. IPsec VPN features in Cisco IOS software that use IKE include Site-to- Site VPN tunnels, EzVPN (server and remote), DMVPN, IPsec over GRE, and GET VPN.
Workaround: Customers that do not require IPsec functionality on their devices can use the no crypto isakmp enable command in global configuration mode to disable the processing of IKE messages and eliminate device exposure.
If IPsec is configured, this bug may be mitigated by applying access control lists that limit the hosts or IP networks that are allowed to establish IPsec sessions with affected devices. This assumes that IPsec peers are known. This workaround may not be feasible for remote access VPN gateways where the source IP addresses of VPN clients are not known in advance. ISAKMP uses port UDP/500 and can also use UDP/848 (the GDOI port) when GDOI is in use.
Further Problem Description: This bug is triggered deep into the IKE negotiation, and an exchange of messages between IKE peers is necessary.
If IPsec is not configured, it is not possible to reach the point in the IKE negotiation where the bug exists.
If a key is configured on a tunnel interface, the inbound access-list on that interface is ignored.
This problem is seen with a configuration that is similar to the following
Problem does not occur if “tunnel key” is not configured.
Workaround is to remove the “tunnel key”.
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels
Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-IOS-IPv6
Symptoms: After launching a flood of random IPv6 router advertisements when an interface is configured with “ipv6 address autoconf”, removing the IPv6 configuration on the interface with “no ipv6 address autoconf” may cause a reload. Other system instabilities are also possible during and after the flood of random IPv6 router advertisements.
Conditions: Cisco IOS is configured with “ipv6 address autoconf”.
Workarounds: Not using IPv6 auto-configuration may be used as a workaround.
Further Information: Cisco IOS checks for the hop limit field in incoming Neighbour Discovery messages and packets received with a hop limit not equal to 255 are discarded. This means that the flood of ND messages has to come from a host that is directly connected to the Cisco IOS device.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2010-4671 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070124-IOS-IPv6
Symptom: A Cisco router configured for multicast VPN may reload after receiving a malformed MDT data group join packet.
Conditions: Affects all IOS versions that support mVPN MDT.
Workaround: Filter out MDT Data Join messages from the router sending the malformed packet using a Receive Access Control List (rACL) feature. Note by doing this, the offending router will not be able to participate within the mVPN data trees.
The following example shows how to block malformed MDT Data Join messages that are sent from the device’s IP addresses using a receive ACL:
Note: Ensure that the rACL does not filter critical traffic such as routing protocols or interactive access to the routers. Filtering necessary traffic could result in an inability to remotely access the router, thus requiring a console connection. For this reason, lab configurations should mimic the actual deployment as closely as possible.
As always, Cisco recommends that you test this feature in the lab prior to deployment. For more information on rACLs, refer to “Protecting Your Core: Infrastructure Protection Access Control Lists” at
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml.
A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at http://www.cisco.com/en/US/products/csa/cisco-sa-20080326-mvpn.html.
Cisco IOS Software Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) is vulnerable to a Denial of Service (DoS) attack from specially crafted packets. Only the MFI is affected by this vulnerability. Older Label Forwarding Information Base (LFIB) implementation, which is replaced by MFI, is not affected.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-mfi
Symptom: Failure to NAT certain LDAP packets
Conditions: NAT configured, NAT of LDAP at layer 4 is enabled by default.
Workaround Disable Layer 4 NAT of LDAP packets using the no-payload keyword in the nat rule configuration, example:
ip nat outside source static tcp 192.168.0.1 389 192.168.1.2 389 no-payload
Symptoms: A device configured with the NETCONF feature reloads.
Conditions: This symptom is observed when a device configured for either NETCONF over SSH or NETCONF over BEEP receives a specially crafted packet.
Workaround: There is no workaround.
Further Problem Description: To be exploited, the session must first be authenticated.
For further details on NETCONF over SSH, consult the “NETCONF over SSH” configuration guide at the following link: http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srnetcon.html
For further details on NETCONF over BEEP, consult the “NETCONF over BEEP” configuration guide at the following link:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htnetbe.html
Symptom: IOS device crash when traffic is routed under certain conditions
Conditions: At time of publication of this release note, this vulnerability had only been observed on a Cisco 2900 switches, however this vulnerability is in common code, so this could also been seen in other platforms running Cisco IOS Software without this fix.
– they are enabled for routing.
– The next hop node must be unresponsive to ARP.
A scenario for this issue would be to have a static route pointing to a node that is not responsive, the crash will happen when multiple ARP request are sent to the non-responsive next hop
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/5.4
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:H/RL:U/RC:C
CVE ID CVE-2011-1615 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
This is the Cisco Product Security Incident Response Team (PSIRT) response to a vulnerability that was reported on the Cisco NSP mailing list on August 17, 2007 regarding the crash and reload of devices running Cisco IOS after executing a command that uses, either directly or indirectly, a regular expression. The original post is available at the following link:
http://puck.nether.net/pipermail/cisco-nsp/2007-August/043002.html
The Cisco PSIRT posted a preliminary response on the same day and is available at the following link:
http://puck.nether.net/pipermail/cisco-nsp/2007-August/043010.html
Preliminary research pointed to a previously known issue that was documented as Cisco bug ID CSCsb08386 (registered customers only), and entitled “PRP crash by show ip bgp regexp”, which was already resolved. Further research indicates that the current issue is a different but related vulnerability.
There are no workarounds available for this vulnerability. Cisco will update this document in the event of any changes.
The full text of this response is available at
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070912-regexp
This is the Cisco Product Security Incident Response Team (PSIRT) response to a vulnerability that was reported on the Cisco NSP mailing list on August 17, 2007 regarding the crash and reload of devices running Cisco IOS after executing a command that uses, either directly or indirectly, a regular expression. The original post is available at the following link:
http://puck.nether.net/pipermail/cisco-nsp/2007-August/043002.html
The Cisco PSIRT posted a preliminary response on the same day and is available at the following link:
http://puck.nether.net/pipermail/cisco-nsp/2007-August/043010.html
Preliminary research pointed to a previously known issue that was documented as Cisco bug ID CSCsb08386 (registered customers only), and entitled “PRP crash by show ip bgp regexp”, which was already resolved. Further research indicates that the current issue is a different but related vulnerability.
There are no workarounds available for this vulnerability. Cisco will update this document in the event of any changes.
The full text of this response is available at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070912-regexp
Symptoms: Cisco IOS device may crash.
Conditions: A Cisco IOS device may crash upon receiving a malformed OSPF message.
Before the issue can be triggered, the Cisco IOS device must be able to establish adjacency with an OSPF peer. The issue will then occur when the processing an OSPF message sent by the peer.
Workaround: There is no workaround. Using OSPF authentication can reduce/minimize the chance of hitting this issue.
Symptom: The router may report AUTORP-4-PAK_ERR.
Conditions: PIM Auto-RP is configured and ip multicast boundary is enabled with filter-autorp option.
Workaround: Configure ip multicast boundary without filter-autorp option.
Symptoms: PIM packets may be processed on interfaces which PIM is not explicitly configured.
Conditions: Unknown at this time.
Workarounds: Create an ACL to drop PIM packets to such interfaces.
A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
– Cisco IOS, documented as Cisco bug ID CSCsd85587
– Cisco IOS XR, documented as Cisco bug ID CSCsg41084
– Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999
– Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348
– Cisco Firewall Service Module (FWSM) CSCsi97695
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-crypto.
Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-crypto and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-SSL
The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition. Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
Cisco has published a Security Advisory on this issue; it is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20060118-sgbp
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080610-snmpv3
Symptom: System may reload upon receiving a malformed SNMP request.
Condition: This condition occurs if a system received a specially crafted SNMP request. In order to exploit this, an attacker needs to know a valid SNMP community string.
Symptoms: A router that is configured for HTTP secure-server may reload unexpectedly because of an internal memory corruption.
Conditions: IOS HTTP Secure server enabled
Workaround: Disable HTTPS with “no ip http secure-server”
A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080326-IPv4IPv6
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS Software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
– The configured feature may stop accepting new connections or sessions.
– The memory of the device may be consumed.
– The device may experience prolonged high CPU utilization.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the “workarounds” section of the advisory.
The advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-ip
The server side of the Secure Copy (SCP) implementation in Cisco Internetwork Operating System (IOS) contains a vulnerability that allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or write to any file on the device’s filesystem, including the device’s saved configuration. This configuration file may include passwords or other sensitive information.
The IOS Secure Copy Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS Secure Copy Server service are not affected by this vulnerability.
This vulnerability does not apply to the IOS Secure Copy Client feature.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-scp.
Symptoms: Malformed SSH version 2 packets may cause a memory leak, causing the platform to operate under a degraded condition. Under rare circumstances, the platform may reload to recover itself.
Conditions: This symptom is observed on a Cisco platform that is configured for SSH version 2 after it has received malformed SSHv2 packets.
Workaround: As an interim solution until the affected platform can be upgraded to a Cisco IOS software image that contains the fix for caveat CSCse24889, configure SSH version 1 from the global configuration mode, as in the following example:
Alternate Workaround: Permit only known trusted hosts and/or networks to connect to the router by creating a vty access list, as in the following example:
Further Problem Description: For information about configuring vty access lists, see the Controlling Access to a Virtual Terminal Line document:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cntrl_acc_vtl.html
For information about SSH, see the Configuring Secure Shell on Routers and Switches Running Cisco IOS document:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
Symptom: Using scripts to access a Cisco IOS device may bypass the command authorization feature.
Symptoms: Devices running Cisco IOS may reload with the error message “System returned to ROM by abort at PC 0x0” when processing SSHv2 sessions. A switch crashes. We have a script running that will continuously ssh-v2 into the 3560 then close the session normally. If the vty line that is being used by SSHv2 sessions to the device is cleared while the SSH session is being processed, the next time an ssh into the device is done, the device will crash.
Conditions: This problem is platform independent, but it has been seen on Cisco Catalyst 3560, Cisco Catalyst 3750 and Cisco Catalyst 4948 series switches. The issue is specific to SSH version 2, and its seen only when the box is under brute force attack. This crash is not seen under normal conditions.
Workaround: There are mitigations to this vulnerability: For Cisco IOS, the SSH server can be disabled by applying the command crypto key zeroize rsa while in configuration mode. The SSH server is enabled automatically upon generating an RSA key pair. Zeroing the RSA keys is the only way to completely disable the SSH server.
Access to the SSH server on Cisco IOS may also be disabled via removing SSH as a valid transport protocol. This can be done by reapplying the transport input command with ‘ssh’ removed from the list of permitted transports on VTY lines while in configuration mode. For example: line vty 0 4 transport input telnet end
If SSH server functionality is desired, access to the server can be restricted to specific source IP addresses or blocked entirely using Access Control Lists (ACLs) on the VTY lines as shown in the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html
More information on configuring ACLs can be found on the Cisco public website: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange.
Cisco has released free software updates that address this vulnerability. Aside from disabling affected services, there are no available workarounds to mitigate an exploit of this vulnerability.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-ssl.
Symptom: A vulnerability exists within the Cisco IOS Authentication, Authorization, and Accounting (AAA) command authorization feature, where command authorization checks are not performed on commands executed from the Tool Command Language (Tcl) exec shell. This may allow authenticated users to bypass command authorization checks in some configurations resulting in unauthorized privilege escalation.
Conditions: Devices that are not running AAA command authorization feature, or do not support Tcl functionality are not affected by this vulnerability.
This vulnerability is present in all versions of Cisco IOS that support the tclsh command.
Workaround: This advisory with appropriate workarounds is posted at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060125-aaatcl
Further Problem Description: This particular vulnerability only affected Cisco IOS versions 12.3(4)T trains and onwards. (12.3 Mainline is not affected)
Please refer to the Advisories “Software Versions and Fixes” table for the first fixed release of Cisco IOS software.
Symptoms: With X.25 over TCP (XOT) enabled on a router or Catalyst switch, malformed traffic that is sent to TCP port 1998 causes the device to reload. This symptom was first observed in Cisco IOS Release 12.2(31)SB2.
Conditions: This symptom is observed only when X.25 routing is enabled on the device.
Workaround: Use IPsec or other tunneling mechanisms to protect XOT traffic. Also, apply ACLs on affected devices so that traffic is accepted only from trusted tunnel endpoints.
Symptom: Devices may reload upon receiving multiple short lived TCP sessions to the telnet port.
Conditions: Devices that run IOS and support IOS Software Modularity are affected. Images that support IOS Software Modularity will have “-vz” in their image name.
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090908-tcp24.
Symptoms: The Generalized TTL Security Mechanism (GTSM), formerly known as BGP TTL Security Hack (BTSH), checks the time-to-live (TTL) value of the packets at the application level, which is not efficient. Also, GTSM does not stop the establishment of a TCP connection for a packet with an invalid TTL value.
Conditions: This symptom is observed on a Cisco platform that has the neighbor neighbor-address security ttl hops hop-count command configured in a BGP environment.
Workaround: There is no workaround.
Cisco IOS Software contains a vulnerability in multiple features that could allow an attacker to cause a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets can cause the vulnerable device to reload.
Cisco has released free software updates that address this vulnerability.
Several mitigation strategies are outlined in the workarounds section of this advisory.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-tcp
Symptoms: Kerberos/Encrypted Telnet code needs to be improved. There is a potential buffer overflow condition in the code. There is no proof of an attack vector/exploit. However, the code needs to be improved.
Conditions: Cisco IOS device configured for Kerberos/Encrypted Telnet access.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:U/RC:UC No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Resolved trans-bridging Caveats
Symptoms: High CPU utilization occurs after device receives a ARP packet with protocol type as 0x1000.
Conditions: This problem occurs on Supervisor 32 running Cisco IOS Release 12.2(33)SXI. This problem may also occur on Supervisor 720. The problem is only seen when you have bridge-group CLI being used, which leads to ARP packets with protocol types as 0x1000 being bridged. The problem does not apply for IP ARP packets.
Workaround: Filter the ARP packet. The device configuration should have bridge-group creation first, followed by interface-specific bridge-group options.
Several features within Cisco IOS Software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory.
This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-udp
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
– Session Initiation Protocol (SIP)
– Media Gateway Control Protocol (MGCP)
– Signaling protocols H.323, H.254
– Real-time Transport Protocol (RTP)
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-IOS-voice.
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
– Session Initiation Protocol (SIP)
– Media Gateway Control Protocol (MGCP)
– Signaling protocols H.323, H.254
– Real-time Transport Protocol (RTP)
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-IOS-voice.
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
– Session Initiation Protocol (SIP)
– Media Gateway Control Protocol (MGCP)
– Signaling protocols H.323, H.254
– Real-time Transport Protocol (RTP)
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070808-IOS-voice.
Symptom: The VTP feature in certain versions of Cisco IOS software may be vulnerable to a crafted packet sent from the local network segment which may lead to denial of service condition.
Conditions: The packets must be received on a trunk enabled port.
Further Information: On the 13th September 2006, Phenoelit Group posted an advisory containing three vulnerabilities:
– Integer Wrap in VTP revision
– Buffer Overflow in VTP VLAN name
These vulnerabilities are addressed by Cisco IDs:
– CSCsd52629 / CSCsd34759 -- VTP version field DoS
– CSCse40078 / CSCse47765 -- Integer Wrap in VTP revision
– CSCsd34855 / CSCei54611 -- Buffer Overflow in VTP VLAN name
Cisco’s statement and further information are available on the Cisco public website at
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060913-vtp
Summary: Cisco’s VTP protocol implementation in some versions of Cisco IOS and CatOS may be vulnerable to a DoS attack via a specially crafted VTP packet sent from the local network segment when operating in either server or client VTP mode. When the device receives the specially crafted VTP packet, the switch may crash (and reload/hang). The crafted packet must be received on a switch interface configured to operate as a trunk port.
Workarounds: There are no workarounds available for this vulnerability.
This response is posted at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081105-vtp
Symptom: On routers that are configured for WCCP, interfaces that are connected to the content engine can become locked. By locked what is meant is that the interface driver is in a state where the physical interface will stop sending and receiving packets.
Conditions: This issue has been introduced by CSCuk61396, only the images that have the fix for CSCuk61396 are affected by this issue.
Workaround: There are no workarounds. If an interface becomes locked, the only way to recover the system is to do a reload.
These sections describes troubleshooting guidelines for the Catalyst 6500 series switch configuration:
This section contains troubleshooting guidelines for system-level problems:
This section contains troubleshooting guidelines for module problems:
Note Catalyst 6500 series switches do not support ISL-encapsulated Token Ring frames. To support trunked Token Ring traffic in your network, make trunk connections directly between switches that support ISL-encapsulated Token Ring frames. When a Catalyst 6500 series switch is configured as a VTP server, you can configure Token Ring VLANs from the switch.
Although DTP is a point-to-point protocol, some internetworking devices might forward DTP frames. To avoid connectivity problems that might be caused by a switch acting on these forwarded DTP frames, do the following:
The Spanning Tree Protocol (STP) blocks certain ports to prevent physical loops in a redundant topology. On a blocked port, switches receive spanning tree bridge protocol data units (BPDUs) periodically from neighboring switches. You can configure the frequency with which BPDUs are received by entering the spanning-tree vlan vlan_ID hello-time command (the default frequency is set to 2 seconds). If a switch does not receive a BPDU in the time period defined by the spanning-tree vlan vlan_ID max-age command (20 seconds by default), the blocked port transitions to the listening state, the learning state, and to the forwarding state. As it transitions, the switch waits for the time period specified by the spanning-tree vlan vlan_ID forward-time command (15 seconds by default) in each of these intermediate states. If a blocked spanning tree interface does not receive BPDUs from its neighbor within 50 seconds, it moves into the forwarding state.
Note We do not recommend using the UplinkFast feature on switches with more than 20 active VLANs. The convergence time might be unacceptably long with more than 20 active VLANs.
To debug STP problems, follow these guidelines:
Note Cisco IOS software displays a message if you exceed the maximum number of virtual interfaces.
For additional troubleshooting information, refer to the publications at this URL:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_troubleshoot_and_alerts.html
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080116ff0.shtml
The following notices pertain to this software license.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
Copyright © 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/)”.
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/)”.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.
The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.
To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What’s New in Cisco Product Documentation RSS feed. The RSS feeds are a free service.