ID

VAR-200501-0257

CVE

CVE-2004-1111

TITLE

Cisco IOS fails to properly handle malformed DHCP packets

DESCRIPTION

Cisco IOS 2.2(18)EW, 12.2(18)EWA, 12.2(14)SZ, 12.2(18)S, 12.2(18)SE, 12.2(18)SV, 12.2(18)SW, and other versions without the "no service dhcp" command, keep undeliverable DHCP packets in the queue instead of dropping them, which allows remote attackers to cause a denial of service (dropped traffic) via multiple undeliverable DHCP packets that exceed the input queue size. A denial-of-service vulnerability exists in Cisco's Internetwork Operating System (IOS). This vulnerability may allow remote attackers to conduct denial-of-service attacks on an affected device. 7600 is prone to a denial-of-service vulnerability. Reportedly, DHCP packets containing certain unspecified content have the capability to block the input queue of interfaces on affected devices. Once an input queue is blocked, further ARP, and routing protocol packets will not be processed. This condition can only be corrected by rebooting the affected device. An attacker with the ability to send malicious DHCP packets to an affected device may be able to interrupt the routing services of the affected device, potentially denying further network service to legitimate users. Cisco IOS is the system used by Cisco networking equipment. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA04-316A Cisco IOS Input Queue Vulnerability Original release date: November 11, 2004 Last revised: -- Source: US-CERT Systems Affected * Cisco routers, switches, and line cards running vulnerable versions of IOS The following versions of IOS are known to be affected: * 12.2(18)EW * 12.2(18)EWA * 12.2(18)S * 12.2(18)SE * 12.2(18)SV * 12.2(18)SW * 12.2(14)SZ Overview There is a vulnerability in the way Cisco IOS processes DHCP packets. Exploitation of this vulnerability may lead to a denial of service. The processing of DHCP packets is enabled by default. I. Description The Dynamic Host Configuration Protocol (DHCP) provides a means for distributing configuration information to hosts on a TCP/IP network.The Cisco Internetwork Operating System (IOS) contains a vulnerability that allows malformed DHCP packets to cause an affected device to stop processing incoming network traffic. Cisco devices can act as a DHCP server, providing host configuration information to clients, or they can forward DHCP and BootP requests as a relay agent. The affected devices have the DHCP service enabled by default and will accept and process incoming DHCP packets. When the queue becomes full, the device will stop accepting all traffic on that interface, not just DHCP traffic. The DHCP service is enabled by default in IOS. DHCP can only be disabled when the no service dhcp command is specified in the running configuration. Cisco notes the following in their advisory: "Cisco routers are configured to process and accept DHCP packets by default, therefore the command service dhcp does not appear in the running configuration display, and only the command for the disabled feature, no service dhcp, will appear in the running configuration display when the feature is disabled. The vulnerability is present, regardless if the DHCP server or relay agent configurations are present on an affected product. US-CERT is tracking this issue as VU#630104. II. Repeated exploitation of this vulnerability could lead to a sustained denial-of-service condition. In order to regain functionality, the device must be rebooted to clear the input queue on the interface. III. Solution Upgrade to fixed versions of IOS Cisco has published detailed information about upgrading affected Cisco IOS software to correct this vulnerability. System managers are encouraged to upgrade to one of the non-vulnerable releases. For additional information regarding availability of repaired releases, please refer to the "Software Versions and Fixes" section of the Cisco Security Advisory. Workarounds Cisco recommends a number of workarounds. For a complete list of workarounds, see the Cisco Security Advisory. Appendix A. References * Vulnerability Note VU#630104 - <http://www.kb.cert.org/vuls/id/630104> * Cisco Security Advisory: "Cisco IOS DHCP Blocked Interface Denial-of-Service" - <http://www.cisco.com/warp/public/707/cisco-sa-20041110-dhcp.shtml > _________________________________________________________________ US-CERT thanks Cisco Systems for notifying us about this problem. _________________________________________________________________ Feedback can be directed to the authors: Jeff Havrilla, Damon Morda, and Jason Rafail _________________________________________________________________ This document is available from: <http://www.us-cert.gov/cas/techalerts/TA04-316A.html> _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History Nov 11, 2004: Initial release Last updated November 11, 2004 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQZP5KBhoSezw4YfQAQLfEAgAlabhwlqCsQXLVFjedNKxa2CmRPYta5aC GXy6I+TDAVv7V57pz4QE4LxreUEb2vyc8CE4TWUy5PL7+tR0IEduur7XXnOs13Is O77GyYxBzxtOi+12zAui2wVM8gepobMS6JwYY7V5tyCRZ7mT7lGkVXzO2xHwFsM7 l6meXU/3eO0AjUv5NmJWBuWuGcPny3qyy3M4rgAcRCXIEWaVMnSCAALfSfPS6Ea8 6qYTmXOCbOnEC1RfdnRDgfmnWGwX5RlOPSrDJr3uS5DEkuEvFwaBnIDWMVtQUnvv oL1jZwbFVY1WNuPIosKSFSBs0U4l7RStiwSw3BF/EbgPrUBg3ugYyw== =gshZ -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

network

TYPE

unknown

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Unknown

SOURCES

LAST UPDATE DATE

2024-08-14T14:59:23.735000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE