VARIoT IoT vulnerabilities database

Cisco IOS 12.4 allows remote attackers to cause a denial of service (device crash) via a normal, properly formed SSL packet that occurs during termination of an SSL session. A successful exploit may cause an affected device to crash, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCsj85065. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. 3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Vulnerability in Cisco IOS While Processing SSL Packet Advisory ID: cisco-sa-20080924-ssl http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - --------------------------------------------------------------------- Summary ======= A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange. Cisco has released free software updates that address this vulnerability. Aside from disabling affected services, there are no available workarounds to mitigate an exploit of this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= Vulnerable Products +------------------ Devices running Cisco IOS and using SSL-based services are susceptible to this vulnerability. Some of the services that utilize SSL are: * HTTP server supporting SSL encryption (HTTPS) The following example shows a device that has the standard Cisco IOS HTTP server disabled, but the SSL-enabled Cisco IOS HTTP server enabled: Router#show running-config | include ip http no ip http server ip http secure-server Router# * SSL Virtual Private Network (SSL VPN) also known as AnyConnect VPN The following example shows a device that has the SSL VPN feature enabled: Router#show running-config | include webvpn webvpn enable webvpn Router# * Open Settlement Protocol (OSP) for Packet Telephony feature The following example shows a device that has the OSP feature enabled and uses HTTPS protocol that is vulnerable: Router#show running-config | include url url https://<host_ip_address>:443/ Router# The Cisco IOS Bug Toolkit may not accurately reflect the affected releases for this advisory. The affected releases are as follows: * 12.4(16)MR, 12.4(16)MR1, 12.4(16)MR2 * 12.4(17) To determine the version of the Cisco IOS software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS Software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. Router#show version Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T2, RELEASE SOFTWARE (fc7) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 23:12 by prod_rel_team Additional information about Cisco IOS software release naming is available at the following link: http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products and Cisco IOS releases are currently known to be affected by this vulnerability. Possession of valid credentials such as a username, password or a certificate is not required. SSL protocol uses TCP as a transport protocol. The requirement of the complete TCP 3-way handshake reduces the probability that this vulnerability will be exploited through the use of spoofed IP addresses. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsj85065 - Router reload while processing SSL packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== A successful exploit of this vulnerability may cause a crash of the affected device. Repeated exploitation may result in a sustained denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major Release | Availability of Repaired Releases | |---------------------------+---------------------------------------| | Affected 12.0-Based | First Fixed | Recommended | | Releases | Release | Release | |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | Affected 12.1-Based | First Fixed | Recommended | | Releases | Release | Release | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected 12.2-Based | First Fixed | Recommended | | Releases | Release | Release | |-------------------------------------------------------------------| | There are no affected 12.2 based releases | |-------------------------------------------------------------------| | Affected 12.3-Based | First Fixed | Recommended | | Releases | Release | Release | |-------------------------------------------------------------------| | There are no affected 12.3 based releases | |-------------------------------------------------------------------| | Affected 12.4-Based | First Fixed | Recommended | | Releases | Release | Release | |---------------------------+-------------------+-------------------| | | 12.4(17a) | | | 12.4 | | 12.4(18c) | | | 12.4(18) | | |---------------------------+-------------------+-------------------| | 12.4JA | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4JK | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4JL | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4JMA | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4JMB | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4JMC | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4JX | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4MD | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4MR | 12.4(19)MR | 12.4(19)MR | |---------------------------+-------------------+-------------------| | 12.4SW | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4T | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XA | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XB | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XC | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XD | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XE | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XF | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XG | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XJ | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XK | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XL | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XM | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XN | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XP | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XQ | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XT | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XV | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XW | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XY | Not Vulnerable | | |---------------------------+-------------------+-------------------| | 12.4XZ | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== To prevent an exploit of a vulnerable device, SSL-based services need to be disabled. However, if regular maintenance and operation of the device relies on this service, there is no workaround. The following command will disable the vulnerable HTTPS service: Router(config)#no ip http secure-server The following command will disable the vulnerable SSL VPN service: Router(config)#no webvpn enable The following command will disable the vulnerable OSP service: Router(config)#no settlement <n> Another option is to revert to HTTP protocol instead using HTTPS. The downside of this workaround is that the settlement information will be sent over the network unprotected. It is possible to mitigate this vulnerability by preventing unauthorized hosts from accessing affected devices. Control Plane Policing (CoPP) +---------------------------- Cisco IOS software versions that support Control Plane Policing (CoPP) can be configured to help protect the device from attacks that target the management and control planes. CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T. In the following CoPP example, the ACL entries that match the exploit packets with the permit action will be discarded by the policy-map drop function, whereas packets that match a deny action (not shown) are not affected by the policy-map drop function: !-- Include deny statements up front for any protocols/ports/IP addresses that !-- should not be impacted by CoPP !-- Include permit statements for the protocols/ports that will be !-- governed by CoPPaccess-list 100 permit tcp any any eq 443 !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. ! !-- Create a Class-Map for traffic to be policed by !-- the CoPP feature. ! class-map match-all drop-SSL-class match access-group 100 ! !-- Create a Policy-Map that will be applied to the !-- Control-Plane of the device. ! policy-map drop-SSL-policy class drop-SSL-class drop !-- Apply the Policy-Map to the Control-Plane of the !-- device. ! control-plane service-policy input drop-SSL-policy Note: In the preceding CoPP example, the ACL entries with the permit action that match the exploit packets will result in the discarding of those packets by the policy-map drop function, whereas packets that match the deny action are not affected by the policy-map drop function. Additional information on the configuration and use of the CoPP feature is available at the following links: http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml and http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html Access Control List (ACL) +------------------------ An Access Control List (ACL) can be used to help mitigate attacks that target this vulnerability. ACLs can specify that only packets from legitimate sources are permitted to reach a device, and all others are to be dropped. The following example shows how to allow legitimate SSL sessions from trusted sources and deny all other SSL sessions: access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 443 access-list 101 deny tcp any any eq 443 Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt - --------------------------------------------------------------------- Toolbar Contacts & Feedback | Help | Site Map 2007 - 2008 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLeIACgkQ86n/Gc8U/uDvigCfcWXjj9bLlpN4XB1nMsDRt2h6 F5EAnRsZsoyb0638vZK7pU8owyw+Ust5 =gXdE -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Unspecified vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS 12.2 through 12.4 and Unified Communications Manager 4.1 through 6.1, when VoIP is configured, allows remote attackers to cause a denial of service (device or process reload) via unspecified valid SIP messages, aka Cisco Bug ID CSCsu38644, a different vulnerability than CVE-2008-3801 and CVE-2008-3802. The problem is Bug ID : CSCsu38644 It is a problem. this is CVE-2008-3801 and CVE-2008-3802 Is a different vulnerability.Service operation disrupted by a third party (DoS) There is a possibility of being put into a state. Cisco Unified Communications Manager is prone to multiple denial-of-service vulnerabilities. These issues affect the Session Initiation Protocol (SIP) service. These issues are documented by Cisco bug IDs CSCsu38644 and CSCsm46064. An attacker can exploit these issues to cause denial-of-service conditions in the affected application. Cisco IOS is the Internet operating system used on Cisco networking equipment. A remote attacker causes a denial of service by unidentifying a valid SIP message. An exploit of these vulnerabilities may cause an interruption in voice services. Cisco will release free software updates that address these vulnerabilities and this advisory will be updated as fixed software becomes available. There are no workarounds for these vulnerabilities. Note: Cisco IOS software is also affected by the vulnerabilities described in this advisory. The software version can also be determined by running the command show version active via the command line interface. In Cisco Unified CallManager version 4.x, the use of SIP as a call signaling protocol is not enabled by default, and for the Cisco Unified CallManager server to start listening for SIP messages on TCP and UDP ports 5060 and 5061 a SIP trunk needs to be configured. A companion security advisory for Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml Products Confirmed Not Vulnerable +-------------------------------- With the exception of Cisco IOS software, no other Cisco products are currently known to be vulnerable to the issues described in this advisory. Cisco Unified CallManager version 4.x is not affected by these vulnerabilities if it does not have any SIP trunks configured. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP gateways, and multimedia applications. SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible to accommodate for other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port 5061) as the underlying transport protocol. Version 4.x of Cisco Unified CallManager do not have SIP enabled by default unless a SIP trunk is configured. The vulnerabilities are being tracked by the following Cisco bug IDs: * CSCsu38644, assigned CVE ID CVE-2008-3800 * CSCsm46064, assigned CVE ID CVE-2008-3801 Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsu38644 - Valid SIP message can cause CCM process to crash CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsm46064 - Problem when CUCM sends out SIP message with valid header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this advisory may result in a reload of the Cisco Unified Communications Manager process, which could result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Unified CallManager version 4.1(3)SR8 contains fixes for all vulnerabilities affecting Cisco Unified CallManager version 4.1 listed in this advisory, and is scheduled to be released in early October 2008. Workarounds =========== There are no workarounds for these vulnerabilities. It is possible to mitigate the vulnerabilities by implementing filtering on screening devices. To change the ports from their default values, log into the Cisco Unified CallManager Administration web interface, go to System > Cisco Unified CM, locate the appropriate Cisco Unified Communications Manager, change the fields SIP Phone Port and SIP Phone Secure Port to a non-standard port, then click Save. SIP Phone Port, by default 5060, refers to the TCP and UDP ports where the Cisco Unified Communications Manager listens for normal SIP messages, and SIP Phone Secure Port, by default 5061, refers to the TCP and UDP ports where the Cisco Unified Communications Manager listens for SIP over TLS messages. Note: For a change of the SIP ports to take effect, the Cisco CallManager Service needs to be restarted. For information on how to accomplish this, refer to "Restarting the Cisco CallManager Service" at http://www.cisco.com/en/US/docs/voice_ip_comm/cucmbe/admin/7_0_1/ccmcfg/b03dpi.html#wp1075124 Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20080924-sip.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were discovered by Cisco internal testing and during handling of customer service requests. Status of this Notice: INTERIM ============================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaR1gACgkQ86n/Gc8U/uCAAQCfW5xFaGdt0C6ubIIW2kVj37Ak znYAn12eZ9BJNa4m6ia6Di1o+CQ4FAr3 =0Yk+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. This vulnerability is reported in Cisco 10000, uBR10012, and uBR7200 series devices. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS 12.2 through 12.4 and Unified Communications Manager 4.1 through 6.1, when VoIP is configured, allows remote attackers to cause a denial of service (device or process reload) via unspecified valid SIP messages, aka Cisco Bug ID CSCsm46064, a different vulnerability than CVE-2008-3800 and CVE-2008-3802. The problem is Bug ID : CSCsm46064 It is a problem. this is CVE-2008-3800 and CVE-2008-3802 Is a different vulnerability.Service operation disrupted by a third party (DoS) There is a possibility of being put into a state. Cisco Unified Communications Manager is prone to multiple denial-of-service vulnerabilities. These issues affect the Session Initiation Protocol (SIP) service. These issues are documented by Cisco bug IDs CSCsu38644 and CSCsm46064. An attacker can exploit these issues to cause denial-of-service conditions in the affected application. Cisco IOS is the Internet operating system used on Cisco networking equipment. A remote attacker causes a denial of service by unidentifying a valid SIP message. An exploit of these vulnerabilities may cause an interruption in voice services. Cisco will release free software updates that address these vulnerabilities and this advisory will be updated as fixed software becomes available. There are no workarounds for these vulnerabilities. Note: Cisco IOS software is also affected by the vulnerabilities described in this advisory. The software version can also be determined by running the command show version active via the command line interface. In Cisco Unified CallManager version 4.x, the use of SIP as a call signaling protocol is not enabled by default, and for the Cisco Unified CallManager server to start listening for SIP messages on TCP and UDP ports 5060 and 5061 a SIP trunk needs to be configured. A companion security advisory for Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml Products Confirmed Not Vulnerable +-------------------------------- With the exception of Cisco IOS software, no other Cisco products are currently known to be vulnerable to the issues described in this advisory. Cisco Unified CallManager version 4.x is not affected by these vulnerabilities if it does not have any SIP trunks configured. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP gateways, and multimedia applications. SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible to accommodate for other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port 5061) as the underlying transport protocol. Version 4.x of Cisco Unified CallManager do not have SIP enabled by default unless a SIP trunk is configured. The vulnerabilities are being tracked by the following Cisco bug IDs: * CSCsu38644, assigned CVE ID CVE-2008-3800 * CSCsm46064, assigned CVE ID CVE-2008-3801 Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsu38644 - Valid SIP message can cause CCM process to crash CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsm46064 - Problem when CUCM sends out SIP message with valid header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this advisory may result in a reload of the Cisco Unified Communications Manager process, which could result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Unified CallManager version 4.1(3)SR8 contains fixes for all vulnerabilities affecting Cisco Unified CallManager version 4.1 listed in this advisory, and is scheduled to be released in early October 2008. Workarounds =========== There are no workarounds for these vulnerabilities. It is possible to mitigate the vulnerabilities by implementing filtering on screening devices. To change the ports from their default values, log into the Cisco Unified CallManager Administration web interface, go to System > Cisco Unified CM, locate the appropriate Cisco Unified Communications Manager, change the fields SIP Phone Port and SIP Phone Secure Port to a non-standard port, then click Save. SIP Phone Port, by default 5060, refers to the TCP and UDP ports where the Cisco Unified Communications Manager listens for normal SIP messages, and SIP Phone Secure Port, by default 5061, refers to the TCP and UDP ports where the Cisco Unified Communications Manager listens for SIP over TLS messages. Note: For a change of the SIP ports to take effect, the Cisco CallManager Service needs to be restarted. For information on how to accomplish this, refer to "Restarting the Cisco CallManager Service" at http://www.cisco.com/en/US/docs/voice_ip_comm/cucmbe/admin/7_0_1/ccmcfg/b03dpi.html#wp1075124 Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20080924-sip.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were discovered by Cisco internal testing and during handling of customer service requests. Status of this Notice: INTERIM ============================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaR1gACgkQ86n/Gc8U/uCAAQCfW5xFaGdt0C6ubIIW2kVj37Ak znYAn12eZ9BJNa4m6ia6Di1o+CQ4FAr3 =0Yk+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. This vulnerability is reported in Cisco 10000, uBR10012, and uBR7200 series devices. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS 12.2 through 12.4, when VoIP is configured, allows remote attackers to cause a denial of service (device reload) via unspecified valid SIP messages, aka Cisco bug ID CSCsk42759, a different vulnerability than CVE-2008-3800 and CVE-2008-3801. The problem is Bug ID : CSCsk42759 It is a problem. this is CVE-2008-3800 and CVE-2008-3801 Is a different vulnerability.Service operation disrupted by a third party (DoS) There is a possibility of being put into a state. Devices running Cisco IOS with SIP enabled are prone to multiple denial-of-service vulnerabilities. These issues are tracked by the following Cisco bug IDs and CVEs: CSCse56800 (CVE-2008-3799) CSCsg91306 (CVE-2008-3800) CSCsl62609 (CVE-2008-3801) CSCsk42759 (CVE-2008-3802) An attacker can exploit these issues to deny service to legitimate users. Cisco IOS is the Internet operating system used on Cisco networking equipment. A remote attacker causes a denial of service by unidentifying a valid SIP message. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. This security issue does not affect Cisco IOS releases based on 12.1. NOTE: This security issue was introduced with CSCee83237. Cisco IOS images that do not include CSCee83237 are reportedly not affected. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. This vulnerability is reported in Cisco 10000, uBR10012, and uBR7200 series devices. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS 12.0 through 12.4 on Gigabit Switch Router (GSR) devices (aka 12000 Series routers) allows remote attackers to cause a denial of service (device crash) via a malformed Protocol Independent Multicast (PIM) packet. Cisco IOS is prone to multiple remote denial-of-service vulnerabilities because the software fails to properly handle malformed network datagrams. Successfully exploiting these issues allows remote attackers to cause targeted devices to reload. Multiple exploits can lead to a sustained denial-of-service. These issues are tracked by Cisco Bug IDs CSCsd95616 and CSCsl34355. Cisco IOS is the Internet operating system used on Cisco networking equipment. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= Vulnerable Products +------------------ Devices that are running Cisco IOS Software and configured for PIM have a vulnerability related to a specially crafted PIM packet. In addition, Cisco 12000 Series (GSR) routers running Cisco IOS Software have a second vulnerability related to a crafted PIM packet. The show running-config | include ip pim command can be issued to verify that a Cisco IOS device is configured for PIM. In the following example, the Cisco IOS router is configured for PIM sparse-dense mode. Router#show running-config | include ip pim ip pim sparse-dense-mode Note that available PIM modes on a Cisco IOS device are dense mode, sparse mode, or sparse-dense mode. A device that is configured for any of these modes is affected by these vulnerabilities. The mode determines how the device populates its multicast routing table and how multicast packets are forwarded. PIM must be enabled in one of these modes for an interface to perform IP multicast routing. More information on the configuration of each mode is in the "Details" section. Additionally, To display information about interfaces configured for Protocol Independent Multicast (PIM), use the show ip pim interface command in user EXEC or privileged EXEC mode, as shown in the following example: Router# show ip pim interface Address Interface Ver/ Nbr Query DR DR Mode Count Intvl Prior 10.1.0.1 GigabitEthernet0/0 v2/SD 0 30 1 10.1.0.1 10.6.0.1 GigabitEthernet0/1 v2/SD 1 30 1 10.6.0.2 In order to determine the software that runs on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software identifies itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name displays between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices do not have the show version command or give different output. The following example shows output from a device that runs an IOS image: router>show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Tue 16-May-06 16:09 by kellythw <more output removed for brevity> Products Confirmed Not Vulnerable +-------------------------------- Cisco IOS devices that are not configured for PIM are not vulnerable. Cisco IOS XR Software is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Devices that run Cisco IOS Software and are configured for PIM are affected by the first vulnerability. Only Cisco 12000 Series (GSR) routers that are configured for PIM are affected by the second vulnerability. Available PIM modes on a Cisco IOS device are dense mode, sparse mode, or sparse-dense mode. The mode determines how the device populates its multicast routing table and how multicast packets are forwarded. PIM must be enabled in one of these modes for an interface to perform IP multicast routing. Note: There is no default mode setting. By default, multicast routing is disabled on an interface. To configure PIM on an interface to be in dense mode, use the following command in interface configuration mode: Router(config-if)# ip pim dense-mode To configure PIM on an interface to be in sparse mode, use the following command in interface configuration mode: Router(config-if)# ip pim sparse-mode To configure PIM on an interface to be in sparse-dense mode, use the following command in interface configuration mode: Router(config-if)# ip pim sparse-dense-mode These vulnerabilities are documented in the following Cisco Bug IDs: * CSCsd95616 - Crafted PIM packets may cause an IOS device to reload * CSCsl34355 - GSR may crash with malformed PIM packets These vulnerabilities have been assigned the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2008-3808 and CVE-2008-3809. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsd95616 - Crafted PIM packets may cause an IOS device to reload CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsl34355 - GSR may crash with malformed PIM packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation may cause a reload of the affected device. Repeated exploitation could result in a sustained denial of service (DoS) condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+------------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0 | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(8)DA3 are | 12.2(12)DA13 | | | vulnerable, release 12.0(8)DA3 and | | | 12.0DA | later are not vulnerable; first fixed | 12.4(15)T7 | | | in 12.2DA | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0DB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0DC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | 12.0(32)S8 | 12.0(32)S11 | | 12.0S | | | | | 12.0(33)S | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0SC | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0SL | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0SP | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0ST | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0SX | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.0(32)SY7; | | 12.0SY | 12.0(32)SY5 | Available on | | | | 29-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0SZ | 12.0(30)SZ4 | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0T | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.0W | Vulnerable; first fixed in 12.2 | 12.0(3c)W5 | | | | (8) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(5)WC10 are | 12.4(15)T7 | | 12.0WC | vulnerable, release 12.0(5)WC10 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | 12.0WT | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(2)XC2 are | 12.4(15)T7 | | 12.0XC | vulnerable, release 12.0(2)XC2 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XD | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XE | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.0XF | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XG | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XH | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(4)XI2 are | 12.4(15)T7 | | 12.0XI | vulnerable, release 12.0(4)XI2 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XJ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XK | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XL | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XM | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XN | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XQ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XR | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.0XS | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XT | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XV | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1 | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1AA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1AX | Vulnerable; first fixed in 12.2EY | 12.2(46)SE | |------------+---------------------------------------+--------------| | | Releases prior to 12.1(22)AY1 are | 12.1(22)EA12 | | 12.1AY | vulnerable, release 12.1(22)AY1 and | | | | later are not vulnerable; first fixed | 12.2(46)SE | | | in 12.1EA | | |------------+---------------------------------------+--------------| | 12.1AZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1CX | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(12)DA13 | | | | | | 12.1DA | Vulnerable; first fixed in 12.2DA | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1DB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1DC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1E | 12.1(27b)E2 | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.1EA | 12.1(22)EA10 | 12.1(22)EA12 | |------------+---------------------------------------+--------------| | 12.1EB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | 12.1EC | Vulnerable; first fixed in 12.3BC | | | | | 12.3(23)BC4 | |------------+---------------------------------------+--------------| | 12.1EO | Vulnerable; first fixed in 12.2SV | | |------------+---------------------------------------+--------------| | | | 12.2(25) | | | | EWA14 | | 12.1EU | Vulnerable; first fixed in 12.2EWA | | | | | 12.2(31)SGA8 | | | | | | | | 12.2(46)SG1 | |------------+---------------------------------------+--------------| | 12.1EV | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.2(25) | | | | EWA14 | | | | | | | | 12.2(31)SGA8 | | 12.1EW | Vulnerable; first fixed in 12.2 | | | | | 12.2(46)SG1 | | | | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1EX | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1EY | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.2(18) | | | | SXF15 | | 12.1EZ | Vulnerable; first fixed in 12.1E | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1GA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1GB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1T | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XD | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XE | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XF | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XG | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XH | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XI | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XJ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XL | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XM | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XP | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XQ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XR | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XS | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XT | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XU | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XV | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XW | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XX | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XY | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XZ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YD | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.1(5)YE6 are | 12.4(15)T7 | | 12.1YE | vulnerable, release 12.1(5)YE6 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YF | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YH | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1YI | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.1YJ | Not Vulnerable | | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.2(26c) | | | | | | | | 12.2(27c) | | | | | 12.4(15)T7 | | 12.2 | 12.2(28d) | | | | | 12.4(18c) | | | 12.2(29b) | | | | | | | | 12.2(46) | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2B | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2BC | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BW | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | | | Available on | | | | 26-SEP-08 | | 12.2BX | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BY | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BZ | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2CX | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2CY | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2CZ | Vulnerable; first fixed in 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | 12.2(10)DA9 | | | 12.2DA | | 12.2(12)DA13 | | | 12.2(12)DA13 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2DD | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2DX | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(25) | | | | EWA14 | | 12.2EW | Vulnerable; first fixed in 12.2EWA | | | | | 12.2(31)SGA8 | | | | | | | | 12.2(46)SG1 | |------------+---------------------------------------+--------------| | | 12.2(25)EWA10 | 12.2(25) | | 12.2EWA | | EWA14 | | | 12.2(25)EWA11 | | |------------+---------------------------------------+--------------| | 12.2EX | 12.2(37)EX | 12.2(35)EX2 | |------------+---------------------------------------+--------------| | 12.2EY | 12.2(37)EY | | |------------+---------------------------------------+--------------| | 12.2EZ | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2FX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FZ | Vulnerable; first fixed in 12.2SE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2IRB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXA | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXB | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXC | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXD | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.2(25)SW12 | | | | | | 12.2MB | Vulnerable; first fixed in 12.2SW | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2MC | 12.2(15)MC2i | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | 12.2(14)S18 | | | | | | | | 12.2(18)S13 | 12.2(33)SB2; | | 12.2S | | Available on | | | 12.2(20)S13 | 26-SEP-08 | | | | | | | 12.2(25)S13 | | |------------+---------------------------------------+--------------| | | 12.2(28)SB7 | | | | | 12.2(33)SB2; | | 12.2SB | 12.2(31)SB5 | Available on | | | | 26-SEP-08 | | | 12.2(33)SB | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2SBC | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.2SCA | Not Vulnerable | | |------------+---------------------------------------+--------------| | | 12.2(35)SE4 | | | 12.2SE | | 12.2(46)SE | | | 12.2(37)SE | | |------------+---------------------------------------+--------------| | 12.2SEA | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEB | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEC | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SED | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEE | 12.2(25)SEE4 | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEG | 12.2(25)SEG3 | 12.2(25)SEG6 | |------------+---------------------------------------+--------------| | | 12.2(25)SG3 | | | | | | | 12.2SG | 12.2(31)SG3 | 12.2(46)SG1 | | | | | | | 12.2(37)SG | | |------------+---------------------------------------+--------------| | 12.2SGA | 12.2(31)SGA2 | 12.2(31)SGA8 | |------------+---------------------------------------+--------------| | 12.2SL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SM | 12.2(29)SM3 | 12.2(29)SM4 | |------------+---------------------------------------+--------------| | 12.2SO | Vulnerable; first fixed in 12.2SV | | |------------+---------------------------------------+--------------| | | | 12.2(33)SRB4 | | 12.2SRA | 12.2(33)SRA4 | | | | | 12.2(33)SRC2 | |------------+---------------------------------------+--------------| | 12.2SRB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SRC | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2SU | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2SV | 12.2(29b)SV1 | | |------------+---------------------------------------+--------------| | 12.2SVA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SW | 12.2(25)SW12 | 12.2(25)SW12 | |------------+---------------------------------------+--------------| | 12.2SX | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXA | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXB | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXD | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXE | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXF | 12.2(18)SXF9 | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | | Not Vulnerable | | | 12.2SXH | | | | | http://www.cisco.com/go/pn | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2SY | Vulnerable; first fixed in 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2SZ | Vulnerable; first fixed in 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2T | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2TPC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XA | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XB | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XC | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XD | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XE | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2XF | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.2(2)XG1 are | 12.4(15)T7 | | 12.2XG | vulnerable, release 12.2(2)XG1 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.3 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XH | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XI | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XJ | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XK | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XL | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XM | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | | | Available on | | | | 26-SEP-08 | | 12.2XN | 12.2(33)XN1 | | | | | 12.2(33)SRC2 | | | | | | | | 12.2(33)XNA2 | |------------+---------------------------------------+--------------| | 12.2XNA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XNB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XO | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XQ | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.2(15)XR are | 12.3(8)JEA3 | | | vulnerable, release 12.2(15)XR and | | | 12.2XR | later are not vulnerable; first fixed | 12.4(15)T7 | | | in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XS | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XT | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XU | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XV | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XW | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YA | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YD | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YE | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YF | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YG | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YH | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YJ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YK | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YL | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YM | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YN | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YO | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YP | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YQ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YR | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YS | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YT | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YU | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YV | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YW | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YX | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YY | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YZ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZA | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2ZB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZD | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZE | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZF | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZG | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZH | 12.2(13)ZH9 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2ZJ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZL | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZP | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZU | Vulnerable; migrate to any release in | 12.2(33)SXH3 | | | 12.2SXH | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2ZX | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.2ZY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZYA | Not Vulnerable | | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.3(17c) | | | | | | | | 12.3(18a) | | | | | 12.4(15)T7 | | 12.3 | 12.3(19a) | | | | | 12.4(18c) | | | 12.3(20a) | | | | | | | | 12.3(21) | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3B | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | 12.3(17b)BC6 | | | 12.3BC | | 12.3(23)BC4 | | | 12.3(21)BC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3BW | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3EU | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JX | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3T | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3TPC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.3VA | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XA | 12.3(2)XA7 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XC | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XD | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XE | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XF | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XG | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.3XI | 12.3(7)XI10 | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3XJ | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XK | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XL | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XQ | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XR | 12.3(7)XR7 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XS | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XU | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3XW | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XX | 12.3(8)XX2d | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XY | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XZ | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3YA | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3YD | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3YF | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YG | 12.3(8)YG6 | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YH | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YI | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14) | | 12.3YM | 12.3(14)YM10 | YM13; | | | | Available on | | | | 30-SEP-08 | |------------+---------------------------------------+--------------| | 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(2)XB10 | | | | | | 12.3YU | Vulnerable; first fixed in 12.4XB | 12.4(9)XG3 | | | | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YX | 12.3(14)YX8 | 12.3(14)YX13 | |------------+---------------------------------------+--------------| | 12.3YZ | 12.3(11)YZ3 | | |------------+---------------------------------------+--------------| | 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.4(10c) | | | | | | | | 12.4(12) | | | | | | | | 12.4(3h) | | | 12.4 | | 12.4(18c) | | | 12.4(5c) | | | | | | | | 12.4(7e) | | | | | | | | 12.4(8d) | | |------------+---------------------------------------+--------------| | 12.4JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4MD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4MR | 12.4(11)MR | 12.4(19)MR | |------------+---------------------------------------+--------------| | 12.4SW | Not Vulnerable | | |------------+---------------------------------------+--------------| | | 12.4(11)T | | | | | | | | 12.4(2)T6 | | | | | | | 12.4T | 12.4(4)T8 | 12.4(15)T7 | | | | | | | 12.4(6)T7 | | | | | | | | 12.4(9)T3 | | |------------+---------------------------------------+--------------| | 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XB | 12.4(2)XB6 | 12.4(2)XB10 | |------------+---------------------------------------+--------------| | 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(4)XD11; | | 12.4XD | 12.4(4)XD8 | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XG | 12.4(9)XG2 | 12.4(9)XG3 | |------------+---------------------------------------+--------------| | 12.4XJ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XM | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XN | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XP | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.4XQ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XR | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XT | 12.4(6)XT2 | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XV | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XW | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== Specifying trusted PIM neighbors is a workaround for both vulnerabilities. A PIM router must receive PIM Hellos to establish PIM neighborship. PIM neighborship is also the basis for designated router (DR) election, DR failover, and accepting/sending PIM Join/ Prune/Assert messages. To specify trusted PIM neighbors, use the ip pim neighbor-filter command, as shown in the following example: Router(config)#access-list 1 permit host 10.10.10.123 !-- An access control list is created to allow a trusted PIM neighbor !-- in this example the neighbor is 10.10.10.123 ! Router(config)#interface fastEthernet 0/0 Router(config-if)#ip pim neighbor-filter 1 !-- The PIM neighbor filter is then applied to the respective interface(s) The ip pim neighbor-filter command filters PIM packets from untrusted devices including Hellos, Join/Prune, and BSR packets. Note: The vulnerabilities described in this document can be exploited by spoofed IP packets if the attacker knows the IP address of the trusted PIM neighbors listed in the ip pim neighbor-filter implementation. To protect infrastructure devices and minimize the risk, impact, and effectiveness of direct infrastructure attacks, administrators are advised to deploy ACLs to perform policy enforcement of traffic sent to core infrastructure equipment. PIM is IP protocol 103. As an additional workaround, administrators can explicitly permit only authorized PIM (IP protocol 103) traffic sent to infrastructure devices in accordance with existing security policies and configurations. An ACL can be deployed as shown in the following example: ip access-list extended Infrastructure-ACL-Policy ! !-- When applicable, include explicit permit statements for trusted !-- sources that require access on the vulnerable protocol !-- PIM routers need to communicate with the rendezvous point (RP). !-- In this example, 192.168.100.1 is the IP address of the !-- rendezvous point, which is a trusted host that requires access !-- to and from the affected PIM devices. ! permit pim host 192.168.100.1 192.168.60.0 0.0.0.255 permit pim 192.168.60.0 0.0.0.255 host 192.168.100.1 ! !-- Permit PIM segment traffic, packets have destination of: !-- 224.0.0.13 (PIMv2) !-- 224.0.0.2 (Required only by legacy PIMv1) ! permit pim 192.168.60.0 0.0.0.255 host 224.0.0.13 permit pim 192.168.60.0 0.0.0.255 host 224.0.0.2 ! !-- The following vulnerability-specific access control entries !-- (ACEs) can aid in identification of attacks ! deny pim any 192.168.60.0 0.0.0.255 ! !-- Explicit deny ACE for traffic sent to addresses configured within !-- the infrastructure address space ! deny ip any 192.168.60.0 0.0.0.255 ! !-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations ! !-- Apply iACL to interfaces in the ingress direction ! interface GigabitEthernet0/0 ip access-group Infrastructure-ACL-Policy in Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLdEACgkQ86n/Gc8U/uBLYQCfbFNaZROaq5OZX5KzZAVwv0gr oBwAoJeb3PdxAWcVg3sBKladJgqbb1oy =f4p/ -----END PGP SIGNATURE----- . 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS 12.0 through 12.4 on Cisco 10000, uBR10012 and uBR7200 series devices handles external UDP packets that are sent to 127.0.0.0/8 addresses intended for IPC communication within the device, which allows remote attackers to cause a denial of service (device or linecard reload) via crafted UDP packets, a different vulnerability than CVE-2008-3806. this is CVE-2008-3806 Is a different vulnerability.Crafted by a third party UDP Service disruption by processing packets (DoS) There is a possibility of being put into a state. Multiple Cisco products running Cisco IOS (Internetwork Operating System) are prone to a denial-of-service vulnerability when handling maliciously crafted UDP-based IPC traffic. An attacker can exploit this issue to trigger device or linecard reloads, causing denial-of-service conditions. The following device series are affected: Cisco 10000 Cisco uBR10012 Cisco uBR7200. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. 3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . No other platforms are affected. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS^ software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= Cisco 10000, uBR10012 and uBR7200 series devices that are running an affected version of Cisco IOS are affected. The following example shows an output taken from a Cisco 10000 series device running Cisco IOS software release 12.2(31)SB10e: c10k#show version | include IOS Cisco IOS Software, 10000 Software (C10K3-P11-M), Version 12.2(31)SB10e, RELEASE SOFTWARE (fc1) c10k# The following example shows an output taken from a Cisco uBR10012 series device running Cisco IOS software release 12.3(17b)BC7: ubr10k#show version | include IOS IOS (tm) 10000 Software (UBR10K-K8P6U2-M), Version 12.3(17b)BC7, RELEASE SOFTWARE (fc1) ubr10k# The following example shows an output taken from a Cisco uBR7200 series device running Cisco IOS software release 12.3(21a)BC2: ubr7200#show version | include IOS IOS (tm) 7200 Software (UBR7200-IK9SU2-M), Version 12.3(21a)BC2, RELEASE SOFTWARE (fc1) ubr7200# Please refer to the document entitled "White Paper: Cisco IOS Reference Guide" for additional information on the Cisco IOS release naming conventions. This document is available at the following link: http://www.cisco.com/warp/public/620/1.html Any version of Cisco IOS prior to the fixed versions listed in the Software Versions and Fixes section below is vulnerable. No other Cisco products are currently known to be affected by this vulnerability. This channel uses addresses from the 127.0.0.0/8 range and UDP port 1975. Filtering unauthorized traffic destined to 127.0.0.0/8 or UDP port 1975 will mitigate this vulnerability. This vulnerability is documented in the Cisco Bug IDs CSCsg15342 and CSCsh29217 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-3805. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsg15342 - IPC processing needs to be more robust CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - Partial Availability Impact - Complete CVSS Temporal Score - 7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh29217 - IPC processing needs to be more robust CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - Partial Availability Impact - Complete CVSS Temporal Score - 7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in a reload of the device, linecards, or both, resulting in a DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |-------------+-----------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |-------------+-------------------------------------+---------------| | 12.0 | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0DA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0DB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0DC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | Releases prior to 12.0(32)S are | 12.0(32)S11 | | 12.0S | vulnerable, release 12.0(32)S and | | | | later are not vulnerable; | 12.0(33)S1 | |-------------+-------------------------------------+---------------| | 12.0SC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0SL | Vulnerable, migrate to 12.0S, 12.1 | | |-------------+-------------------------------------+---------------| | 12.0SP | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0ST | Vulnerable, migrate to 12.0S, 12.1 | | |-------------+-------------------------------------+---------------| | 12.0SX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0SY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | | 12.0(32)S11 | | 12.0SZ | 12.0(30)SZ4 | | | | | 12.0(33)S1 | |-------------+-------------------------------------+---------------| | 12.0T | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0W | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0WC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0WT | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XH | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XI | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XM | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XN | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XQ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XR | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XS | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XT | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.0XV | Not Vulnerable | | |-------------+-------------------------------------+---------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |-------------+-------------------------------------+---------------| | 12.2 | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2B | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2BC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2BW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2BX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2BY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2BZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2CX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2CY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2CZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2DA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2DD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2DX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2EW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2EWA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2EX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2EY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2EZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2FX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2FY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2FZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IRB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2IXG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2JA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2JK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2MB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2MC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2S | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | 12.2(31)SB13 | 12.2(33)SB2; | | 12.2SB | | Available on | | | 12.2(33)SB1 | 26-SEP-08 | |-------------+-------------------------------------+---------------| | 12.2SBC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SCA | 12.2(33)SCA1 | 12.2(33)SCA1 | |-------------+-------------------------------------+---------------| | 12.2SE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SEA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SEB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SEC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SED | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SEE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SEF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SEG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SGA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SM | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SO | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SRA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SRB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SRC | 12.2(33)SRC2 | 12.2(33)SRC2 | |-------------+-------------------------------------+---------------| | 12.2SU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SV | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SVA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SVC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SVD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SXA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SXB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SXD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SXE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SXF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SXH | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2SZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2T | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2TPC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XH | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XI | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XM | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XN | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XNA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XNB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XO | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XQ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XR | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XS | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XT | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XV | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2XW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YH | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YM | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YN | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YO | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YP | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YQ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YR | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YS | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YT | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YV | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2YZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZH | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZP | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | | 12.2(33)SB2; | | 12.2ZX | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |-------------+-------------------------------------+---------------| | 12.2ZY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.2ZYA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |-------------+-------------------------------------+---------------| | 12.3 | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3B | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | 12.3(17b)BC6 | | | | | | | 12.3BC | 12.3(21a)BC1 | 12.3(23)BC4 | | | | | | | 12.3(23)BC | | |-------------+-------------------------------------+---------------| | 12.3BW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3EU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JEA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JEB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JEC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3JX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | Note: Releases prior to 12.3(14)T3 | 12.4(15)T7 | | 12.3T | are vulnerable, release 12.3(14)T3 | | | | and later are not vulnerable; | 12.4(18c) | |-------------+-------------------------------------+---------------| | 12.3TPC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3VA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | | | 12.2(33)SB2; | | 12.3XI | 12.3(7)XI10a | Available on | | | | 26-SEP-08 | |-------------+-------------------------------------+---------------| | 12.3XJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XQ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XR | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XS | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3XZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YH | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YI | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YM | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YQ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YS | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YT | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YU | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3YZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.3ZA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |-------------+-------------------------------------+---------------| | | Note: Releases prior to 12.4(3) are | | | 12.4 | vulnerable, release 12.4(3) and | 12.4(18c) | | | later are not vulnerable; | | |-------------+-------------------------------------+---------------| | 12.4JA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4JK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4JL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4JMA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4JMB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4JMC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4JX | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4MD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4MR | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4SW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4T | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XA | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XB | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XC | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XD | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XE | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XF | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XG | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XJ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XK | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XL | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XM | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XN | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XP | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XQ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XR | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XT | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XV | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XW | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XY | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4XZ | Not Vulnerable | | |-------------+-------------------------------------+---------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== Workarounds consist of filtering packets that are sent to 127.0.0.0/8 range and UDP packets that are sent to port 1975. Using Interface Access Control Lists +----------------------------------- Access lists that filter UDP packets destined to port 1975 can be used to mitigate this vulnerability. UDP port 1975 is a registered port number that can be used by certain applications. However, filtering all packets that are destined to UDP port 1975 may cause some applications to malfunction. Therefore, access lists need to explicitly deny UDP 1975 packets that are sent to any router interface IP addresses and permit transit traffic. Such access lists need to be applied on all interfaces to be effective. Since the IPC channel uses addresses from the 127.0.0.0/8 range, it is also necessary to filter packets that are sourced from or destined to this range. An example is given below: access-list 100 deny udp any host <router-interface 1> eq 1975 access-list 100 deny udp any host <router-interface 2> eq 1975 access-list 100 deny udp any host <router-interface ...> eq 1975 access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip any 127.0.0.0 0.255.255.255 access-list 100 permit ip any any interface Serial 0/0 ip access-group 100 in Using Control Plane Policing +--------------------------- Control Plane Policing (CoPP) can be used to block untrusted UDP port 1975 access to the affected device. Cisco IOS software releases 12.2BC and 12.2SCA support the CoPP feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. The following example can be adapted to your network. Note: CoPP is not supported on uBR10012 series devices. !-- Permit all UDP/1975 traffic so that it !-- will be policed and dropped by the CoPP feature ! access-list 111 permit udp any any eq 1975 access-list 111 permit ip any 127.0.0.0 0.255.255.255 access-list 111 permit ip 127.0.0.0 0.255.255.255 any ! !-- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and !-- Layer 4 traffic in accordance with existing security policies !-- and configurations for traffic that is authorized to be sent !-- to infrastructure devices ! !-- Create a Class-Map for traffic to be policed by the CoPP !-- feature ! class-map match-all drop-IPC-class match access-group 111 ! !-- Create a Policy-Map that will be applied to the Control-Plane !-- of the device ! policy-map drop-IPC-traffic class drop-IPC-class drop ! !-- Apply the Policy-Map to the Control-Plane of the device ! control-plane service-policy input drop-IPC-traffic ! In the above CoPP example, the access control list entries (ACEs) which match the potential exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action (not shown) are not affected by the policy-map drop function. Please note that in the Cisco IOS 12.2S and 12.0S trains the policy-map syntax is different: ! policy-map drop-IPC-traffic class drop-IPC-class police 32000 1500 1500 conform-action drop exceed-action drop ! Additional information on the configuration and use of the CoPP feature can be found at http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html, http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html and http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html Using Infrastructure ACLs at Network Boundary +-------------------------------------------- Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. iACLs are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The iACL example shown below should be included as part of the deployed infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP address range: !-- Note: IPC packets sent to UDP destination port 1975 must not !-- be permitted from any trusted source as this traffic !-- should only be sent and received internally by the !-- affected device using an IP address allocated from the !-- 127.0.0.0/8 prefix. !-- !-- IPC that traffic that is internally generated and sent !-- and/or received by the affected device is not subjected !-- to packet filtering by the applied iACL policy. ! access-list 150 deny udp any host INTERFACE_ADDRESS#1 eq 1975 access-list 150 deny udp any host INTERFACE_ADDRESS#2 eq 1975 access-list 150 deny udp any host INTERFACE_ADDRESS#N eq 1975 ! !-- Deny all IP packets with a source or destination IP address !-- from the 127.0.0.0/8 prefix. ! access-list 150 deny ip 127.0.0.0 0.255.255.255 any access-list 150 deny ip any 127.0.0.0 0.255.255.255 ! !-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations. ! !-- Permit all other traffic to transit the device. ! access-list 150 permit ip any any ! !-- Apply iACL to interfaces in the ingress direction. ! interface GigabitEthernet0/0 ip access-group 150 in ! Note: iACLs that filter UDP packets destined to port 1975 can be used to mitigate this vulnerability. However, UDP port 1975 is a registered port number that can be used by certain applications. Filtering all packets that are destined to UDP port 1975 may cause some applications to malfunction. Therefore, the iACL policy needs to explicitly deny UDP packets using a destination port of 1975 that are sent to any router interface IP addresses for affected devices, then permit and/or deny all other Layer 3 and Layer 4 traffic in accordance with existing security policies and configurations, and then permit all other traffic to transit the device. iACLs must be applied on all interfaces to be used effectively. Since the IPC channel uses addresses from the 127.0.0.0/8 range, it is also necessary to filter packets that are sourced from or destined to this range as provided in the preceding example. The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained here: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml Additional Mitigation Techniques +------------------------------- Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20080924-ipc-and-ubr.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found internally. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-Sep-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLcIACgkQ86n/Gc8U/uDLHwCeO1ZYLn/jMCO2qIX5cBhtLo46 uokAn1Q+dApUNnQOJY6Eh1cVegNVXg43 =jP+C -----END PGP SIGNATURE-----

Unspecified vulnerability in Cisco IOS 12.0 through 12.4 allows remote attackers to cause a denial of service (device reload) via a crafted Protocol Independent Multicast (PIM) packet. Cisco IOS is prone to multiple remote denial-of-service vulnerabilities because the software fails to properly handle malformed network datagrams. Successfully exploiting these issues allows remote attackers to cause targeted devices to reload. Multiple exploits can lead to a sustained denial-of-service. These issues are tracked by Cisco Bug IDs CSCsd95616 and CSCsl34355. Cisco IOS is the Internet operating system used on Cisco networking equipment. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= Vulnerable Products +------------------ Devices that are running Cisco IOS Software and configured for PIM have a vulnerability related to a specially crafted PIM packet. The show running-config | include ip pim command can be issued to verify that a Cisco IOS device is configured for PIM. In the following example, the Cisco IOS router is configured for PIM sparse-dense mode. Router#show running-config | include ip pim ip pim sparse-dense-mode Note that available PIM modes on a Cisco IOS device are dense mode, sparse mode, or sparse-dense mode. A device that is configured for any of these modes is affected by these vulnerabilities. The mode determines how the device populates its multicast routing table and how multicast packets are forwarded. PIM must be enabled in one of these modes for an interface to perform IP multicast routing. More information on the configuration of each mode is in the "Details" section. Additionally, To display information about interfaces configured for Protocol Independent Multicast (PIM), use the show ip pim interface command in user EXEC or privileged EXEC mode, as shown in the following example: Router# show ip pim interface Address Interface Ver/ Nbr Query DR DR Mode Count Intvl Prior 10.1.0.1 GigabitEthernet0/0 v2/SD 0 30 1 10.1.0.1 10.6.0.1 GigabitEthernet0/1 v2/SD 1 30 1 10.6.0.2 In order to determine the software that runs on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software identifies itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name displays between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices do not have the show version command or give different output. The following example shows output from a device that runs an IOS image: router>show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Tue 16-May-06 16:09 by kellythw <more output removed for brevity> Products Confirmed Not Vulnerable +-------------------------------- Cisco IOS devices that are not configured for PIM are not vulnerable. Cisco IOS XR Software is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Devices that run Cisco IOS Software and are configured for PIM are affected by the first vulnerability. Only Cisco 12000 Series (GSR) routers that are configured for PIM are affected by the second vulnerability. Available PIM modes on a Cisco IOS device are dense mode, sparse mode, or sparse-dense mode. The mode determines how the device populates its multicast routing table and how multicast packets are forwarded. PIM must be enabled in one of these modes for an interface to perform IP multicast routing. Note: There is no default mode setting. By default, multicast routing is disabled on an interface. To configure PIM on an interface to be in dense mode, use the following command in interface configuration mode: Router(config-if)# ip pim dense-mode To configure PIM on an interface to be in sparse mode, use the following command in interface configuration mode: Router(config-if)# ip pim sparse-mode To configure PIM on an interface to be in sparse-dense mode, use the following command in interface configuration mode: Router(config-if)# ip pim sparse-dense-mode These vulnerabilities are documented in the following Cisco Bug IDs: * CSCsd95616 - Crafted PIM packets may cause an IOS device to reload * CSCsl34355 - GSR may crash with malformed PIM packets These vulnerabilities have been assigned the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2008-3808 and CVE-2008-3809. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsd95616 - Crafted PIM packets may cause an IOS device to reload CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsl34355 - GSR may crash with malformed PIM packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation may cause a reload of the affected device. Repeated exploitation could result in a sustained denial of service (DoS) condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+------------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0 | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(8)DA3 are | 12.2(12)DA13 | | | vulnerable, release 12.0(8)DA3 and | | | 12.0DA | later are not vulnerable; first fixed | 12.4(15)T7 | | | in 12.2DA | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0DB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0DC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | 12.0(32)S8 | 12.0(32)S11 | | 12.0S | | | | | 12.0(33)S | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0SC | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0SL | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0SP | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0ST | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0SX | Vulnerable; first fixed in 12.0S | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.0(32)SY7; | | 12.0SY | 12.0(32)SY5 | Available on | | | | 29-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.0(32)S11 | | 12.0SZ | 12.0(30)SZ4 | | | | | 12.0(33)S1 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0T | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.0W | Vulnerable; first fixed in 12.2 | 12.0(3c)W5 | | | | (8) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(5)WC10 are | 12.4(15)T7 | | 12.0WC | vulnerable, release 12.0(5)WC10 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | 12.0WT | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(2)XC2 are | 12.4(15)T7 | | 12.0XC | vulnerable, release 12.0(2)XC2 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XD | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XE | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.0XF | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XG | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XH | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.0(4)XI2 are | 12.4(15)T7 | | 12.0XI | vulnerable, release 12.0(4)XI2 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XJ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XK | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XL | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XM | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XN | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XQ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XR | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.0XS | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XT | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.0XV | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1 | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1AA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1AX | Vulnerable; first fixed in 12.2EY | 12.2(46)SE | |------------+---------------------------------------+--------------| | | Releases prior to 12.1(22)AY1 are | 12.1(22)EA12 | | 12.1AY | vulnerable, release 12.1(22)AY1 and | | | | later are not vulnerable; first fixed | 12.2(46)SE | | | in 12.1EA | | |------------+---------------------------------------+--------------| | 12.1AZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1CX | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(12)DA13 | | | | | | 12.1DA | Vulnerable; first fixed in 12.2DA | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1DB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1DC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1E | 12.1(27b)E2 | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.1EA | 12.1(22)EA10 | 12.1(22)EA12 | |------------+---------------------------------------+--------------| | 12.1EB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | 12.1EC | Vulnerable; first fixed in 12.3BC | | | | | 12.3(23)BC4 | |------------+---------------------------------------+--------------| | 12.1EO | Vulnerable; first fixed in 12.2SV | | |------------+---------------------------------------+--------------| | | | 12.2(25) | | | | EWA14 | | 12.1EU | Vulnerable; first fixed in 12.2EWA | | | | | 12.2(31)SGA8 | | | | | | | | 12.2(46)SG1 | |------------+---------------------------------------+--------------| | 12.1EV | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.2(25) | | | | EWA14 | | | | | | | | 12.2(31)SGA8 | | 12.1EW | Vulnerable; first fixed in 12.2 | | | | | 12.2(46)SG1 | | | | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1EX | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1EY | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.2(18) | | | | SXF15 | | 12.1EZ | Vulnerable; first fixed in 12.1E | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1GA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1GB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1T | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XD | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XE | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XF | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XG | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XH | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XI | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XJ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XL | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XM | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XP | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XQ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XR | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XS | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XT | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XU | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XV | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XW | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XX | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XY | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1XZ | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YA | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YB | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YC | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YD | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.1(5)YE6 are | 12.4(15)T7 | | 12.1YE | vulnerable, release 12.1(5)YE6 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.2 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YF | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.1YH | Vulnerable; first fixed in 12.2 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.1YI | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.1YJ | Not Vulnerable | | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.2(26c) | | | | | | | | 12.2(27c) | | | | | 12.4(15)T7 | | 12.2 | 12.2(28d) | | | | | 12.4(18c) | | | 12.2(29b) | | | | | | | | 12.2(46) | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2B | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2BC | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BW | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | | | Available on | | | | 26-SEP-08 | | 12.2BX | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BY | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BZ | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2CX | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2CY | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2CZ | Vulnerable; first fixed in 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | 12.2(10)DA9 | | | 12.2DA | | 12.2(12)DA13 | | | 12.2(12)DA13 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2DD | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2DX | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(25) | | | | EWA14 | | 12.2EW | Vulnerable; first fixed in 12.2EWA | | | | | 12.2(31)SGA8 | | | | | | | | 12.2(46)SG1 | |------------+---------------------------------------+--------------| | | 12.2(25)EWA10 | 12.2(25) | | 12.2EWA | | EWA14 | | | 12.2(25)EWA11 | | |------------+---------------------------------------+--------------| | 12.2EX | 12.2(37)EX | 12.2(35)EX2 | |------------+---------------------------------------+--------------| | 12.2EY | 12.2(37)EY | | |------------+---------------------------------------+--------------| | 12.2EZ | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2FX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FZ | Vulnerable; first fixed in 12.2SE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2IRB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXA | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXB | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXC | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXD | Vulnerable; migrate to any release in | 12.2(18)IXG | | | 12.2IXE | | |------------+---------------------------------------+--------------| | 12.2IXE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.2(25)SW12 | | | | | | 12.2MB | Vulnerable; first fixed in 12.2SW | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2MC | 12.2(15)MC2i | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | 12.2(14)S18 | | | | | | | | 12.2(18)S13 | 12.2(33)SB2; | | 12.2S | | Available on | | | 12.2(20)S13 | 26-SEP-08 | | | | | | | 12.2(25)S13 | | |------------+---------------------------------------+--------------| | | 12.2(28)SB7 | | | | | 12.2(33)SB2; | | 12.2SB | 12.2(31)SB5 | Available on | | | | 26-SEP-08 | | | 12.2(33)SB | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2SBC | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.2SCA | Not Vulnerable | | |------------+---------------------------------------+--------------| | | 12.2(35)SE4 | | | 12.2SE | | 12.2(46)SE | | | 12.2(37)SE | | |------------+---------------------------------------+--------------| | 12.2SEA | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEB | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEC | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SED | Vulnerable; first fixed in 12.2SEE | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEE | 12.2(25)SEE4 | 12.2(46)SE | |------------+---------------------------------------+--------------| | 12.2SEF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEG | 12.2(25)SEG3 | 12.2(25)SEG6 | |------------+---------------------------------------+--------------| | | 12.2(25)SG3 | | | | | | | 12.2SG | 12.2(31)SG3 | 12.2(46)SG1 | | | | | | | 12.2(37)SG | | |------------+---------------------------------------+--------------| | 12.2SGA | 12.2(31)SGA2 | 12.2(31)SGA8 | |------------+---------------------------------------+--------------| | 12.2SL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SM | 12.2(29)SM3 | 12.2(29)SM4 | |------------+---------------------------------------+--------------| | 12.2SO | Vulnerable; first fixed in 12.2SV | | |------------+---------------------------------------+--------------| | | | 12.2(33)SRB4 | | 12.2SRA | 12.2(33)SRA4 | | | | | 12.2(33)SRC2 | |------------+---------------------------------------+--------------| | 12.2SRB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SRC | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2SU | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2SV | 12.2(29b)SV1 | | |------------+---------------------------------------+--------------| | 12.2SVA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SW | 12.2(25)SW12 | 12.2(25)SW12 | |------------+---------------------------------------+--------------| | 12.2SX | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXA | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXB | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXD | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXE | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2SXF | 12.2(18)SXF9 | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | | Not Vulnerable | | | 12.2SXH | | | | | http://www.cisco.com/go/pn | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2SY | Vulnerable; first fixed in 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2SZ | Vulnerable; first fixed in 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2T | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2TPC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XA | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XB | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XC | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XD | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XE | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SCA1 | | | | | | | | 12.3(23)BC4 | | 12.2XF | Vulnerable; first fixed in 12.3 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.2(2)XG1 are | 12.4(15)T7 | | 12.2XG | vulnerable, release 12.2(2)XG1 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.3 | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XH | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XI | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XJ | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XK | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XL | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XM | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | | | Available on | | | | 26-SEP-08 | | 12.2XN | 12.2(33)XN1 | | | | | 12.2(33)SRC2 | | | | | | | | 12.2(33)XNA2 | |------------+---------------------------------------+--------------| | 12.2XNA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XNB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XO | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XQ | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Releases prior to 12.2(15)XR are | 12.3(8)JEA3 | | | vulnerable, release 12.2(15)XR and | | | 12.2XR | later are not vulnerable; first fixed | 12.4(15)T7 | | | in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XS | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XT | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XU | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XV | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XW | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YA | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YD | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YE | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YF | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YG | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YH | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YJ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YK | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YL | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YM | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YN | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YO | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YP | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YQ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YR | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YS | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YT | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YU | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YV | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YW | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YX | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YY | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YZ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZA | Vulnerable; first fixed in 12.2SXF | 12.2(18) | | | | SXF15 | |------------+---------------------------------------+--------------| | 12.2ZB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZD | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZE | Vulnerable; first fixed in 12.3 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZF | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZG | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZH | 12.2(13)ZH9 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2ZJ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZL | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZP | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZU | Vulnerable; migrate to any release in | 12.2(33)SXH3 | | | 12.2SXH | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.2ZX | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.2ZY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZYA | Not Vulnerable | | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.3(17c) | | | | | | | | 12.3(18a) | | | | | 12.4(15)T7 | | 12.3 | 12.3(19a) | | | | | 12.4(18c) | | | 12.3(20a) | | | | | | | | 12.3(21) | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3B | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | 12.3(17b)BC6 | | | 12.3BC | | 12.3(23)BC4 | | | 12.3(21)BC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3BW | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3EU | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JX | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3T | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3TPC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.3VA | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XA | 12.3(2)XA7 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XC | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XD | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XE | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XF | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XG | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | 12.3XI | 12.3(7)XI10 | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3XJ | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XK | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XL | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XQ | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XR | 12.3(7)XR7 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XS | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XU | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3XW | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XX | 12.3(8)XX2d | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XY | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XZ | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3YA | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3YD | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3YF | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YG | 12.3(8)YG6 | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YH | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YI | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YK | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14) | | 12.3YM | 12.3(14)YM10 | YM13; | | | | Available on | | | | 30-SEP-08 | |------------+---------------------------------------+--------------| | 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(2)XB10 | | | | | | 12.3YU | Vulnerable; first fixed in 12.4XB | 12.4(9)XG3 | | | | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YX | 12.3(14)YX8 | 12.3(14)YX13 | |------------+---------------------------------------+--------------| | 12.3YZ | 12.3(11)YZ3 | | |------------+---------------------------------------+--------------| | 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.4(10c) | | | | | | | | 12.4(12) | | | | | | | | 12.4(3h) | | | 12.4 | | 12.4(18c) | | | 12.4(5c) | | | | | | | | 12.4(7e) | | | | | | | | 12.4(8d) | | |------------+---------------------------------------+--------------| | 12.4JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4MD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4MR | 12.4(11)MR | 12.4(19)MR | |------------+---------------------------------------+--------------| | 12.4SW | Not Vulnerable | | |------------+---------------------------------------+--------------| | | 12.4(11)T | | | | | | | | 12.4(2)T6 | | | | | | | 12.4T | 12.4(4)T8 | 12.4(15)T7 | | | | | | | 12.4(6)T7 | | | | | | | | 12.4(9)T3 | | |------------+---------------------------------------+--------------| | 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XB | 12.4(2)XB6 | 12.4(2)XB10 | |------------+---------------------------------------+--------------| | 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(4)XD11; | | 12.4XD | 12.4(4)XD8 | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XG | 12.4(9)XG2 | 12.4(9)XG3 | |------------+---------------------------------------+--------------| | 12.4XJ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XM | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XN | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XP | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.4XQ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XR | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XT | 12.4(6)XT2 | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XV | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XW | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== Specifying trusted PIM neighbors is a workaround for both vulnerabilities. A PIM router must receive PIM Hellos to establish PIM neighborship. PIM neighborship is also the basis for designated router (DR) election, DR failover, and accepting/sending PIM Join/ Prune/Assert messages. To specify trusted PIM neighbors, use the ip pim neighbor-filter command, as shown in the following example: Router(config)#access-list 1 permit host 10.10.10.123 !-- An access control list is created to allow a trusted PIM neighbor !-- in this example the neighbor is 10.10.10.123 ! Router(config)#interface fastEthernet 0/0 Router(config-if)#ip pim neighbor-filter 1 !-- The PIM neighbor filter is then applied to the respective interface(s) The ip pim neighbor-filter command filters PIM packets from untrusted devices including Hellos, Join/Prune, and BSR packets. Note: The vulnerabilities described in this document can be exploited by spoofed IP packets if the attacker knows the IP address of the trusted PIM neighbors listed in the ip pim neighbor-filter implementation. To protect infrastructure devices and minimize the risk, impact, and effectiveness of direct infrastructure attacks, administrators are advised to deploy ACLs to perform policy enforcement of traffic sent to core infrastructure equipment. PIM is IP protocol 103. As an additional workaround, administrators can explicitly permit only authorized PIM (IP protocol 103) traffic sent to infrastructure devices in accordance with existing security policies and configurations. An ACL can be deployed as shown in the following example: ip access-list extended Infrastructure-ACL-Policy ! !-- When applicable, include explicit permit statements for trusted !-- sources that require access on the vulnerable protocol !-- PIM routers need to communicate with the rendezvous point (RP). !-- In this example, 192.168.100.1 is the IP address of the !-- rendezvous point, which is a trusted host that requires access !-- to and from the affected PIM devices. ! permit pim host 192.168.100.1 192.168.60.0 0.0.0.255 permit pim 192.168.60.0 0.0.0.255 host 192.168.100.1 ! !-- Permit PIM segment traffic, packets have destination of: !-- 224.0.0.13 (PIMv2) !-- 224.0.0.2 (Required only by legacy PIMv1) ! permit pim 192.168.60.0 0.0.0.255 host 224.0.0.13 permit pim 192.168.60.0 0.0.0.255 host 224.0.0.2 ! !-- The following vulnerability-specific access control entries !-- (ACEs) can aid in identification of attacks ! deny pim any 192.168.60.0 0.0.0.255 ! !-- Explicit deny ACE for traffic sent to addresses configured within !-- the infrastructure address space ! deny ip any 192.168.60.0 0.0.0.255 ! !-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and configurations ! !-- Apply iACL to interfaces in the ingress direction ! interface GigabitEthernet0/0 ip access-group Infrastructure-ACL-Policy in Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLdEACgkQ86n/Gc8U/uBLYQCfbFNaZROaq5OZX5KzZAVwv0gr oBwAoJeb3PdxAWcVg3sBKladJgqbb1oy =f4p/ -----END PGP SIGNATURE----- . 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS 12.2 and 12.3 on Cisco uBR10012 series devices, when linecard redundancy is configured, enables a read/write SNMP service with "private" as the community, which allows remote attackers to obtain administrative access by guessing this community and sending SNMP requests. Cisco uBR10012 routers are high-performance network devices. The routers are prone to a weak default configuration issue. A remote attacker may exploit this issue to gain complete access to the vulnerable device. Cisco uBR10012 routers are vulnerable. This issue is being tracked by Cisco bug ID CSCek57932. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. 3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. This security issue does not affect Cisco IOS releases based on 12.1. NOTE: This security issue was introduced with CSCee83237. Cisco IOS images that do not include CSCee83237 are reportedly not affected. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. This vulnerability affects Cisco uBR10012 series devices running IOS. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) in Cisco IOS 12.2 and 12.4 allows remote attackers to cause a denial of service (memory corruption) via crafted packets for which the software path is used. A successful exploit may cause an affected device to reload, denying service to legitimate users. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31990 VERIFY ADVISORY: http://secunia.com/advisories/31990/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/advisories/product/50/ Cisco IOS 12.x http://secunia.com/advisories/product/182/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. 3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Only the MFI is affected by this vulnerability. Older Label Forwarding Information Base (LFIB) implementation, which is replaced by MFI, is not affected. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml NOTE: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= Devices that run Cisco IOS software (including those that support Cisco IOS Software Modularity) and support MFI are affected if they are configured for MPLS. Vulnerable Products +------------------ A device that runs Cisco IOS software and supports MFI will have mfi_ios in the output of the show subsys command. The following example shows output from a device that supports MFI: Router#show subsys name mfi_ios Class Version mfi_ios Protocol 1.000.001 Router# The following example shows output from a device that is configured for MPLS: Router#show mpls interface Interface IP Tunnel BGP Static Operational Ethernet0/0 Yes (ldp) No No No Yes Router# To determine the software running on a Cisco product, log in to the device and issue the "show version" command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output. The following example identifies a Cisco product that is running Cisco IOS release 12.4(11)T2: Router#show version Cisco IOS Software,7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 01-May-07 04:19 by prod_rel_team <output truncated> Additional information on the Cisco IOS release naming conventions can be found on the document entitled "White Paper: Cisco IOS Reference Guide", which is available at http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable +-------------------------------- Devices running Cisco IOS software versions that do not include MFI are not vulnerable. Devices that are not configured for MPLS are not vulnerable. Devices that are running Cisco IOS XR software are not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= In newer versions of Cisco IOS software, a new packet forwarding infrastructure was introduced to improve scalability and performance. This forwarding infrastructure, called MFI, is transparent to the user. MFI manages MPLS data structures used for forwarding and replaces the older implementation, Label Forwarding Information Base (LFIB). Such packets can be sent from the local segment to the interfaces that are configured for MPLS or via tunnel interfaces that are configured for MPLS. To target a remote system in an MPLS network, an attacker needs to have access to the MPLS network through an MPLS-enabled interface. MPLS packets are dropped on interfaces that are not configured for MPLS. Devices that support MFI will have mfi_ios in the output of the show subsys command. Interfaces that are enabled for MPLS can be seen by the show mpls interface command. More information on MFI can be found at the following link: http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_lsc_removed.html This vulnerability is documented in the Cisco Bug ID CSCsk93241 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-3804. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsk93241 - Chunk memory corruption on LFDp Input Proc CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may result in the reload of the device, leading to a DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+------------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |------------+--------------------------------------+---------------| | 12.2 | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2B | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2BC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2BW | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2BX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2BY | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2BZ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2CX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2CY | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2CZ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2DA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2DD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2DX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2EW | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2EWA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2EX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2EY | 12.2(44)EY; Available on 16-DEC-08 | | |------------+--------------------------------------+---------------| | 12.2EZ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2FX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2FY | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2FZ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IRB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXE | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXF | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2IXG | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2JA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2JK | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2MB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2MC | Not Vulnerable | | |------------+--------------------------------------+---------------| | | Releases prior to 12.2(22)S are not | | | | vulnerable. | | | | | 12.2(33)SB2; | | 12.2S | Release 12.2(22)S and later and | Available on | | | prior to 12.2(30)S are vulnerable, | 26-SEP-08 | | | | | | | release 12.2(30)S and later are not | | | | vulnerable | | |------------+--------------------------------------+---------------| | | 12.2(31)SB12 | 12.2(33)SB2; | | 12.2SB | | Available on | | | 12.2(33)SB | 26-SEP-08 | |------------+--------------------------------------+---------------| | | | 12.2(33)SB2; | | 12.2SBC | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |------------+--------------------------------------+---------------| | 12.2SCA | 12.2(33)SCA1 | 12.2(33)SCA1 | |------------+--------------------------------------+---------------| | | 12.2(44)SE3; Available on 30-SEP-08 | | | 12.2SE | | 12.2(46)SE | | | 12.2(46)SE | | |------------+--------------------------------------+---------------| | 12.2SEA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SEB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SEC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SED | Vulnerable; first fixed in 12.2SE | 12.2(46)SE | |------------+--------------------------------------+---------------| | 12.2SEE | Vulnerable; first fixed in 12.2SE | 12.2(46)SE | |------------+--------------------------------------+---------------| | 12.2SEF | Not Vulnerable | | |------------+--------------------------------------+---------------| | | Note: Releases prior to 12.2(25)SEG4 | | | 12.2SEG | are vulnerable, release 12.2(25)SEG4 | 12.2(25)SEG6 | | | and later are not vulnerable; | | |------------+--------------------------------------+---------------| | 12.2SG | 12.2(50)SG; Available on 24-NOV-08 | 12.2(46)SG1 | |------------+--------------------------------------+---------------| | 12.2SGA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SM | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SO | Not Vulnerable | | |------------+--------------------------------------+---------------| | | | 12.2(33)SRB4 | | 12.2SRA | Vulnerable; first fixed in 12.2SRB | | | | | 12.2(33)SRC2 | |------------+--------------------------------------+---------------| | 12.2SRB | 12.2(33)SRB4 | 12.2(33)SRB4 | |------------+--------------------------------------+---------------| | 12.2SRC | 12.2(33)SRC1 | 12.2(33)SRC2 | |------------+--------------------------------------+---------------| | 12.2SU | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SV | Vulnerable; contact TAC | | |------------+--------------------------------------+---------------| | 12.2SVA | Vulnerable; contact TAC | | |------------+--------------------------------------+---------------| | 12.2SVC | Vulnerable; contact TAC | | |------------+--------------------------------------+---------------| | 12.2SVD | Vulnerable; contact TAC | | |------------+--------------------------------------+---------------| | | Note: Releases prior to 12.2(25)SW4 | | | 12.2SW | are vulnerable, release 12.2(25)SW4 | 12.2(25)SW12 | | | and later are not vulnerable; | | |------------+--------------------------------------+---------------| | 12.2SX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SXA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SXB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SXD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SXE | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SXF | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SXH | 12.2(33)SXH3 | 12.2(33)SXH3 | |------------+--------------------------------------+---------------| | 12.2SY | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2SZ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2T | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2TPC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XE | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XF | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XG | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XH | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XI | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XJ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XK | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XM | Not Vulnerable | | |------------+--------------------------------------+---------------| | | | 12.2(33)SB2; | | | | Available on | | | | 26-SEP-08 | | 12.2XN | Vulnerable; first fixed in 12.2SB | | | | | 12.2(33)SRC2 | | | | | | | | 12.2(33)XNA2 | |------------+--------------------------------------+---------------| | 12.2XNA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XNB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XO | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XQ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XR | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XS | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XT | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XU | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XV | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2XW | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YE | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YF | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YG | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YH | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YJ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YK | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YM | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YN | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YO | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YP | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YQ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YR | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YS | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YT | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YU | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YV | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YW | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YY | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2YZ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZE | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZF | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZG | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZH | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZJ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZP | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZU | Not Vulnerable | | |------------+--------------------------------------+---------------| | | | 12.2(33)SB2; | | 12.2ZX | Vulnerable; first fixed in 12.2SB | Available on | | | | 26-SEP-08 | |------------+--------------------------------------+---------------| | 12.2ZY | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.2ZYA | Not Vulnerable | | |------------+--------------------------------------+---------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.3 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |------------+--------------------------------------+---------------| | 12.4 | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JK | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JMA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JMB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JMC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4JX | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4MD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4MR | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4SW | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4T | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XA | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XB | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XC | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XD | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XE | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XF | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XG | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XJ | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XK | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XL | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XM | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XN | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XP | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XQ | 12.4(15)XQ1 | 12.4(15)XQ1 | |------------+--------------------------------------+---------------| | 12.4XR | Vulnerable; migrate to any release | 12.4(15)T7 | | | in 12.4T | | |------------+--------------------------------------+---------------| | 12.4XT | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XV | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XW | Not Vulnerable | | |------------+--------------------------------------+---------------| | 12.4XY | 12.4(15)XY4 | 12.4(15)XY4 | |------------+--------------------------------------+---------------| | 12.4XZ | 12.4(15)XZ1 | 12.4(15)XZ2 | |------------+--------------------------------------+---------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== MPLS is normally enabled on physical and logical interfaces that are shared with other MPLS-enabled devices. It can be disabled on interfaces where MPLS is not necessary and from which a potential attack can be launched. This action may help to limit the exposure of this vulnerability. If it is not possible to disable MPLS on interfaces from which an attack can be launched, there are no workarounds to mitigate this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found internally. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-Sep-24 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLcwACgkQ86n/Gc8U/uCKtQCeOUTNVK58br0wqCUQAa506CGJ aWIAn3WBReM3lzWMM/+iT7SVaH6npY3E =7zu4 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Memory leak in the Session Initiation Protocol (SIP) implementation in Cisco IOS 12.2 through 12.4, when VoIP is configured, allows remote attackers to cause a denial of service (memory consumption and voice-service outage) via unspecified valid SIP messages. Devices running Cisco IOS with SIP enabled are prone to multiple denial-of-service vulnerabilities. These issues are tracked by the following Cisco bug IDs and CVEs: CSCse56800 (CVE-2008-3799) CSCsg91306 (CVE-2008-3800) CSCsl62609 (CVE-2008-3801) CSCsk42759 (CVE-2008-3802) An attacker can exploit these issues to deny service to legitimate users. 1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system. 2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload. Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support. 5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device. 6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic. 7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another. NOTE: This security issue was introduced with CSCee83237. 8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets. Successful exploitation requires access to the MPLS network. 9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets. 10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets. Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN). 11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975. 12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system. Successful exploitation requires that a device is configured for linecard redundancy. SOLUTION: Update to the fixed version (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco has released free software updates that address these vulnerabilities. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities addressed in this advisory. There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself, if administrators do not require the Cisco IOS device to provide voice over IP services. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products ================= These vulnerabilities only affect devices running Cisco IOS that have SIP voice services enabled. The only requirement for these vulnerabilities is that the Cisco IOS device processes SIP messages as part of configured voice over IP (VoIP) functionality (this does not apply to processing of SIP messages as part of the NAT and firewall feature sets.) Recent versions of Cisco IOS do not process SIP messages by default, but creating a "dial peer" via the command dial-peer voice will start the SIP processes and cause Cisco IOS to start processing SIP messages. An example of an affected configuration is as follows: dial-peer voice <Voice dial-peer tag> voip ... Please refer to http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml for additional information on Cisco bug ID CSCsb25337. In the following example, the presence of the processes CCSIP_UDP_SOCKET and CCSIP_TCP_SOCKET indicates that the Cisco IOS device is processing SIP messages: Router#show processes | include SIP 147 Mwe 40F46DF4 12 2 600023468/24000 0 CCSIP_SPI_CONTRO 148 Mwe 40F21244 0 1 0 5524/6000 0 CCSIP_DNS 149 Mwe 40F48254 4 1 400023108/24000 0 CCSIP_UDP_SOCKET 150 Mwe 40F48034 4 1 400023388/24000 0 CCSIP_TCP_SOCKET Different versions of Cisco IOS have different ways of verifying whether the Cisco IOS device is listening for SIP messages. The show ip sockets, show udp, show tcp brief all, and show control-plane host open-ports commands can be used to determine this, although not all of these commands work on all IOS releases. Since it is not practical in this document to provide a list of commands corresponding to the various releases, users should try the aforementioned commands to determine which ones work for their device. The following is one example of one command that shows a router listening on port 5060 (the SIP port): router#show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State <output removed for brevity> tcp *:5060 *:0 SIP LISTEN <outoput removed for brevity> udp *:5060 *:0 SIP LISTEN In order to determine the software that runs on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software identifies itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name displays between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices do not have the show version command or give different output. The following example shows output from a device that runs an IOS image: router>show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Tue 16-May-06 16:09 by kellythw <more output removed for brevity> Additional information on the Cisco IOS release naming conventions can be found on the document entitled "White Paper: Cisco IOS Reference Guide", which is available at http://www.cisco.com/warp/public/620/1.html Cisco Unified Communications Manager is also affected by some of these vulnerabilities, although they are tracked by different Cisco bug IDs. A companion security advisory for Cisco Unified Communications Manager is available at http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml Products Confirmed Not Vulnerable +-------------------------------- The SIP Application Layer Gateway (ALG), which is used by the IOS Network Address Translation (NAT) and firewall features of Cisco IOS, is not affected by these vulnerabilities. With the exception of the Cisco Unified Communications Manager, no other Cisco products are currently known to be vulnerable to the issues described in this advisory. Details ======= SIP is a popular signaling protocol used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible to accommodate for other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port 5061) as the underlying transport protocol. In all cases vulnerabilities can be triggered by processing valid SIP messages. Memory Leak Vulnerability +------------------------ CSCse56800 causes a memory leak in affected devices. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-3799. Device Reload Vulnerabilities +---------------------------- The following vulnerabilities can lead to a reload of the Cisco IOS device while processing some specific and valid SIP messages: * CSCsg91306, assigned CVE ID CVE-2008-3800 * CSCsl62609, assigned CVE ID CVE-2008-3801 * CSCsk42759, assigned CVE ID CVE-2008-3802 Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCse56800 - SIP-3-BADPAIR register timer expiry causes slow memory leak CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsg91306 - processor pool memory corruption in CCSIP_SPI_CONTROL CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk42759 - Voice Gateway reloads on receiving a valid SIP packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsl62609 - Router crash due to presence of valid SIP header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document may result in a reload of the device. The issue could be repeatedly exploited to result in an extended Denial Of Service (DoS) condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+------------------------------------------------------| | Affected | | Recommended | | 12.0-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.1-Based | First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | | Recommended | | 12.2-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | 12.2 | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2B | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2BC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2BW | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.2(33)SB2; | | | | Available on | | | | 26-SEP-08 | | 12.2BX | Vulnerable; first fixed in 12.4 | | | | | 12.4(15)T7 | | | | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2BY | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2BZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2CX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2CY | Not Vulnerable | | |------------+---------------------------------------+--------------| | | Vulnerable; migrate to any release in | 12.2(33)SB2; | | 12.2CZ | 12.2S | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.2DA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2DD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2DX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2EW | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2EWA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2EX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2EY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2EZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2FZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IRB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2IXG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2MB | Not Vulnerable | | |------------+---------------------------------------+--------------| | | Releases prior to 12.2(15)MC2c are | 12.4(15)T7 | | 12.2MC | vulnerable, release 12.2(15)MC2c and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.4 | | |------------+---------------------------------------+--------------| | 12.2S | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SBC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SCA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SED | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SEG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SGA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SM | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SO | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SRA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SRB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SRC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SU | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SV | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SVD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SW | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SXA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SXB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SXD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SXE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SXF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SXH | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2SZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2T | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2TPC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2XA | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XB | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2XC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XH | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XI | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XJ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XL | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XM | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2XN | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XNA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XNB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XO | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XQ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XR | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2XS | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XT | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XU | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2XV | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2XW | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YA | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YD | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YE | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YF | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YH | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YJ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YL | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2YM | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2YN | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YO | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YP | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YQ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YR | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YS | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YT | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YU | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | Releases prior to 12.2(11)YV1 are | | | 12.2YV | vulnerable, release 12.2(11)YV1 and | | | | later are not vulnerable; | | |------------+---------------------------------------+--------------| | 12.2YW | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2YY | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2YZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZD | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZE | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZF | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2ZG | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.2ZH | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.2ZJ | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZL | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZP | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.2ZU | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZY | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.2ZYA | Not Vulnerable | | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.3-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3 | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3B | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3BC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3BW | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3EU | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JEC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3JX | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3T | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3TPC | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.3VA | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | Releases prior to 12.3(2)XA7 are | 12.4(15)T7 | | 12.3XA | vulnerable, release 12.3(2)XA7 and | | | | later are not vulnerable; first fixed | 12.4(18c) | | | in 12.4 | | |------------+---------------------------------------+--------------| | 12.3XB | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XC | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XD | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XE | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XF | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XG | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | Vulnerable; migrate to any release in | 12.2(33)SB2; | | 12.3XI | 12.2SB | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3XJ | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XK | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XL | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XQ | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XR | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3XS | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3XU | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3XW | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XX | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XY | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | | | 12.4(15)T7 | | 12.3XZ | Vulnerable; first fixed in 12.4 | | | | | 12.4(18c) | |------------+---------------------------------------+--------------| | 12.3YA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3YD | Not Vulnerable | | |------------+---------------------------------------+--------------| | | | 12.3(14)YX13 | | 12.3YF | Vulnerable; first fixed in 12.3YX | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YG | 12.3(8)YG7; Available on 01-OCT-08 | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YH | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3YI | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.3YJ | Not Vulnerable | | |------------+---------------------------------------+--------------| | | Releases prior to 12.3(11)YK3 are | | | 12.3YK | vulnerable, release 12.3(11)YK3 and | 12.4(15)T7 | | | later are not vulnerable; first fixed | | | | in 12.4T | | |------------+---------------------------------------+--------------| | | | 12.3(14) | | 12.3YM | 12.3(14)YM13; Available on 30-SEP-08 | YM13; | | | | Available on | | | | 30-SEP-08 | |------------+---------------------------------------+--------------| | 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(2)XB10 | | | | | | 12.3YU | Vulnerable; first fixed in 12.4XB | 12.4(9)XG3 | | | | | | | | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.3YX | 12.3(14)YX12 | 12.3(14)YX13 | |------------+---------------------------------------+--------------| | 12.3YZ | 12.3(11)YZ3 | | |------------+---------------------------------------+--------------| | 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | Affected | | Recommended | | 12.4-Based | First Fixed Release | Release | | Releases | | | |------------+---------------------------------------+--------------| | | 12.4(13f) | | | | | | | 12.4 | 12.4(17b) | 12.4(18c) | | | | | | | 12.4(18) | | |------------+---------------------------------------+--------------| | 12.4JA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JL | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMA | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMB | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JMC | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4JX | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4MD | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4MR | 12.4(19)MR | 12.4(19)MR | |------------+---------------------------------------+--------------| | 12.4SW | Not Vulnerable | | |------------+---------------------------------------+--------------| | | 12.4(15)T4 | | | | | | | 12.4T | 12.4(20)T | 12.4(15)T7 | | | | | | | 12.4(6)T11 | | |------------+---------------------------------------+--------------| | 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XB | 12.4(2)XB10 | 12.4(2)XB10 | |------------+---------------------------------------+--------------| | 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | | | 12.4(4)XD11; | | 12.4XD | 12.4(4)XD11; Available on 26-SEP-08 | Available on | | | | 26-SEP-08 | |------------+---------------------------------------+--------------| | 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XF | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XG | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XK | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XL | 12.4(15)XL2 | 12.4(15)XL2 | |------------+---------------------------------------+--------------| | 12.4XM | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XN | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XP | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.4XQ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XR | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T7 | |------------+---------------------------------------+--------------| | 12.4XV | Vulnerable; contact TAC | | |------------+---------------------------------------+--------------| | 12.4XW | 12.4(11)XW7 | 12.4(11)XW9 | |------------+---------------------------------------+--------------| | 12.4XY | 12.4(15)XY3 | 12.4(15)XY4 | |------------+---------------------------------------+--------------| | 12.4XZ | Not Vulnerable | | |------------+---------------------------------------+--------------| | 12.4YA | Not Vulnerable | | +-------------------------------------------------------------------+ Workarounds =========== If the affected Cisco IOS device needs to provide voice over IP services and therefore SIP cannot be disabled then none of the listed vulnerabilities have workarounds. Users are advised to apply mitigation techniques to limit exposure to the listed vulnerabilities. Mitigation consists of only allowing legitimate devices to connect to the routers. To increase effectiveness, the mitigation must be coupled with anti-spoofing measures on the network edge. This action is required because SIP can use UDP as the transport protocol. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20080924-sip.shtml Disable SIP Listening Ports +-------------------------- For devices that do not require SIP to be enabled, the simplest and most effective workaround is to disable SIP processing on the device. Some versions of Cisco IOS allow administrators to accomplish this with the following commands: sip-ua no transport udp no transport tcp Warning: When applying this workaround to devices processing MGCP or H.323 calls, the device will not allow you to stop SIP processing while active calls are being processed. Under these circumstances, this workaround should be implemented during a maintenance window when active calls can be briefly stopped. It is recommended that after applying this workaround, the show commands discussed in the Vulnerable Products section be used to confirm that the Cisco IOS device is no longer processing SIP messages. Control Plane Policing +--------------------- For devices that need to offer SIP services it is possible to use Control Plane Policing (CoPP) to block SIP traffic to the device from untrusted sources. Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. The following example can be adapted to your network: !-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted. !-- Everything else is not trusted. The following access list is used !-- to determine what traffic needs to be dropped by a control plane !-- policy (the CoPP feature.) If the access list matches (permit) !-- then traffic will be dropped and if the access list does not !-- match (deny) then traffic will be processed by the router. access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060 access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060 access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061 access-list 100 deny udp host 172.16.1.1 any eq 5060 access-list 100 deny tcp host 172.16.1.1 any eq 5060 access-list 100 deny tcp host 172.16.1.1 any eq 5061 access-list 100 permit udp any any eq 5060 access-list 100 permit tcp any any eq 5060 access-list 100 permit tcp any any eq 5061 !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. !-- Create a Class-Map for traffic to be policed by !-- the CoPP feature. class-map match-all drop-sip-class match access-group 100 !-- Create a Policy-Map that will be applied to the !-- Control-Plane of the device. policy-map drop-sip-traffic class drop-sip-class drop !-- Apply the Policy-Map to the Control-Plane of the !-- device. control-plane service-policy input drop-sip-traffic Warning: Because SIP can utilize UDP as a transport protocol, it is possible to easily spoof the sender's IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. In the above CoPP example, the access control list entries (ACEs) that match the potential exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action (not shown) are not affected by the policy-map drop function. Additional information on the configuration and use of the CoPP feature can be found at http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml and http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were discovered by Cisco internal testing and during handling of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-September-24 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjaLd0ACgkQ86n/Gc8U/uDWJwCdHEe8XwtX0kKmTHf2T6/Nm02U 3N8AnjG1IaW/GWg78gj6k0NGXre3Mggr =4nzw -----END PGP SIGNATURE-----

Cross-site scripting (XSS) vulnerability in index.php in Check Point Connectra NGX R62 HFA_01 allows remote attackers to inject arbitrary web script or HTML via the dir parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Connectra NGX is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Connectra NGX R62 HFA_01, Hotfix 601, Builds 006 and 014 are vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: Checkpoint Connectra NGX "dir" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA31553 VERIFY ADVISORY: http://secunia.com/advisories/31553/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: Check Point Connectra Appliances http://secunia.com/advisories/product/13352/ DESCRIPTION: Sarid Harper has reported a vulnerability in Checkpoint Connectra NGX, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "dir" parameter in index.php is not properly sanitised before being returned to the user. SOLUTION: Filter malicious characters and character sequences in a proxy. PROVIDED AND/OR DISCOVERED BY: Sarid Harper ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple SAGEM F@st routers are prone to an HTML-injection vulnerability because they fail to sufficiently sanitize user-supplied input data. Attacker-supplied HTML and script code would run in the context of the web interface of the affected device, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. The issue affects SAGEM F@st routers 1200, 1240, 1400, 1400W, 1500, 1500-WG, and 2404.

Multiple cross-site scripting (XSS) vulnerabilities in login.php in webshell4 in Parallels H-Sphere 3.0.0 P9 and 3.1 P1 allow remote attackers to inject arbitrary web script or HTML via the (1) err, (2) errorcode, and (3) login parameters. (1) err Parameters (2) errorcode Parameters (3) login Parameters. H-Sphere is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. H-Sphere 3.0.0 Patch 9 and 3.1 Patch 1 are vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: H-Sphere webshell4 "login.php" Cross-Site Scripting SECUNIA ADVISORY ID: SA31830 VERIFY ADVISORY: http://secunia.com/advisories/31830/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: H-Sphere 3.x http://secunia.com/advisories/product/19894/ DESCRIPTION: t0fx has reported two vulnerabilities in H-Sphere, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "err" and "login" parameters in webshell4's login.php script is not properly sanitised before being returned to the user. The vulnerabilities are reported in versions 3.0.0 P9 and 3.1 P1. SOLUTION: Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: t0fx. Additional information from Peter M. Abraham. ORIGINAL ADVISORY: http://www.xssing.com/index.php?x=3&y=65 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP Administration component in Cisco IOS 12.4 on the 871 Integrated Services Router allow remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI, and (2) a certain "alias exec" command to the /level/15/exec/-/configure/http URI. NOTE: some of these details are obtained from third party information. By a remote attacker, (1) /level/15/exec/- URI Specific to 'show privilege' command (2) /level/15/exec/-/configure/http URI. Specific to 'alias exec' An arbitrary command may be executed via a command.Please refer to the “Overview” for the impact of this vulnerability. The Cisco 871 Integrated Services Router is prone to a cross-site request-forgery vulnerability. Successful exploits can run arbitrary commands on affected devices. This may lead to further network-based attacks. The 871 Integrated Services Router under IOS 12.4 is vulnerable; other products and versions may also be affected

Buffer overflow in Apple QuickTime 7.5.5 and iTunes 8.0 allows remote attackers to cause a denial of service (browser crash) or possibly execute arbitrary code via a long type attribute in a quicktime tag (1) on a web page or embedded in a (2) .mp4 or (3) .mov file, possibly related to the Check_stack_cookie function and an off-by-one error that leads to a heap-based buffer overflow. (1) Web On the page quicktime tag (2) .mp4 Embedded in the file quicktime tag (3) .mov Embedded in the file quicktime tag. Apple QuickTime is prone to a buffer-overflow vulnerability. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted file. Successfully exploiting this issue allows remote attackers to cause the affected application to crash. Reportedly, code execution is not possible. This issue affects QuickTime 7.5.5; other versions may also be vulnerable. The <? quicktime type= ?> tag does not correctly handle the long attribute string. If the user uses Quicktime or Itunes media player to open the webpage or . A single-byte heap overflow can be triggered, resulting in a denial of service or the execution of arbitrary instructions

The File Sharing pane in the Sharing preference pane in Apple Mac OS X 10.5 through 10.5.4 does not inform users that the complete contents of their own home directories are shared for their own use, which might allow attackers to leverage other vulnerabilities and access files for which sharing was unintended. The security update addresses a total of 17 new vulnerabilities that affect the Apple Type Services, Directory Services, Finder, ImageIO, Kernel, Login Windows, SearchKit, System Configuration, System Preferences, Time Machine, VideoConference, and Wiki Server components of Mac OS X. The advisory also contains security updates for 17 previously reported issues. Attackers could exploit these vulnerabilities to execute arbitrary code, gain access to sensitive information, or cause a denial of service. I. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, privilege escalation, or DNS cache poisoning. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-260A Feedback VU#547251" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History September 16 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSNANfnIHljM+H4irAQLlgQf+PqS9CZoUf6f9zPZNbyKDhBYETyc31z6G yrF/p3T2ZfH7qK43GbgSHbriAHi+nzlKdYk6vbt++6mE3Jr3QHmk/gyjp4BD8whS 1Qp6wamRmDUMgboseftfE/Pa/lAoFSejvUsGdgbkrNNH/95LcsPFqL+6pBQHna2c nFyEz3vMMPGxJr99Nf0Vda0O255fcjpvcVddbj005wvmyA83IT43ZFgAoINkKDvi qRo2jNmucDoQZTzX/ap1zU3ZSu5dBHlnH1qUK0BvFQSeLeGwaMoijkn2xqpCbzsV 4u3ErEkcLAQVMsTJBEzIs22WU4yRWF07eumhng3rIgGjbXuleNPfig== =SOoC -----END PGP SIGNATURE-----

Remote Management and Screen Sharing in Apple Mac OS X 10.5 through 10.5.4, when used to set a password for a VNC viewer, displays additional input characters beyond the maximum password length, which might make it easier for attackers to guess passwords that the user believed were longer. Apple Mac OS X Leopard does not accurately reflect which files and directories are available via sharing. The security update addresses a total of 17 new vulnerabilities that affect the Apple Type Services, Directory Services, Finder, ImageIO, Kernel, Login Windows, SearchKit, System Configuration, System Preferences, Time Machine, VideoConference, and Wiki Server components of Mac OS X. The advisory also contains security updates for 17 previously reported issues. The password field can display more than 8 characters, that is, extra characters are used in the password. Attackers could exploit these vulnerabilities to execute arbitrary code, gain access to sensitive information, or cause a denial of service. I. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, privilege escalation, or DNS cache poisoning. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-260A Feedback VU#547251" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History September 16 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSNANfnIHljM+H4irAQLlgQf+PqS9CZoUf6f9zPZNbyKDhBYETyc31z6G yrF/p3T2ZfH7qK43GbgSHbriAHi+nzlKdYk6vbt++6mE3Jr3QHmk/gyjp4BD8whS 1Qp6wamRmDUMgboseftfE/Pa/lAoFSejvUsGdgbkrNNH/95LcsPFqL+6pBQHna2c nFyEz3vMMPGxJr99Nf0Vda0O255fcjpvcVddbj005wvmyA83IT43ZFgAoINkKDvi qRo2jNmucDoQZTzX/ap1zU3ZSu5dBHlnH1qUK0BvFQSeLeGwaMoijkn2xqpCbzsV 4u3ErEkcLAQVMsTJBEzIs22WU4yRWF07eumhng3rIgGjbXuleNPfig== =SOoC -----END PGP SIGNATURE-----

Off-by-one error in the _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4 and 2.0 allows remote attackers to cause a denial of service (browser crash) via a JavaScript alert call with an argument that lacks breakable characters and has a length that is a multiple of the memory page size, leading to an out-of-bounds read. Apple iPhone and iPod touch are prone to a remote denial-of-service vulnerability that occurs in the WebKit library used by the Safari browser. Remote attackers can exploit this issue to crash the affected browser installed on the devices, denying service to legitimate users. The following devices and corresponding firmware are affected: iPhone 1.1.4 and 2.0 iPod touch 1.1.4 and 2.0. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ iPhone Safari JavaScript alert Denial of Service 1. *Advisory Information* Title: iPhone Safari JavaScript alert Denial of Service Advisory ID: CORE-2008-0603 Advisory URL: http://www.coresecurity.com/content/iphone-safari-javascript-alert-denial-of-service Date published: 2008-09-12 Date of last update: 2008-09-12 Vendors contacted: Apple Security Release mode: Coordinated release 2. *Vulnerability Information* Class: Client-side Denial of Service Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: 31061 CVE Name: CVE-2008-3950 3. By inserting a special string on the 'alert()' JavaScript method, it's possible to crash Safari via an outbound memory read triggering an access violation. 4. *Vulnerable packages* . iPhone v1.1.4 and v2.0 . iPod touch v1.1.4 and v2.0 5. *Non-vulnerable packages* . iPhone v2.1 . iPod Touch v2.1 6. *Vendor Information* The information on this section was provided verbatim by the vendor. 6.1. *Availability* Apple security updates are available via the Software Update mechanism: http://support.apple.com/kb/HT1338 Apple security updates are also available for manual download via: http://www.apple.com/support/downloads/ 6.2. *Cross-References* We generally do not publish advisories for denial of service issues unless there are more serious security consequences. As such, we are not planning to describe the fix for this issue, but we do appreciate your having reported it to us. If you provide cross-referencing information in your advisory please link to the following URL: http://support.apple.com/kb/HT1222 7. *Credits* Nicolas Economou from Core Security Technologies discovered and researched this vulnerability. 8. The vulnerable function is '_web_drawInRect:withFont:ellipsis:alignment:measureOnly: : NSString(WebStringDrawing)' which is one of the functions used by the 'alert()' method on this implementation of JavaScript. The 'alert()' method receives a string parameter to be showed on screen. When this string parameter is large, the library maps the required memory to store it. As the memory page size is 4096 bytes, the reserved memory is rounded-up, that is, the rest of the page is marked as reserved but unused. If a string has length divisible by 4096, it fits exactly in the memory reserved, no bytes are left unused. When the vulnerable function is called, it calls the method 'WebCore::nextBreakablePosition' in charge of searching for "breakable" characters, for example a space, character "-", etcetera, and returns the position where the first "breakable" character was found. This method takes as parameter the same string passed to the 'alert' on JavaScript. In the case that no "breakable" characters are found, it returns the final position of the string plus 1. For example, if the string size is '0x1000' and the function doesn't find anything, it return position '0x1000', counting from zero, obviously. The crash is generated when function '_web_drawInRect:withFont:ellipsis:alignment:measureOnly' receives as parameter a large string with a size multiple of 4096 without "breakable" characters and then passes it to method 'WebCore::nextBreakablePosition'. Once the method is called, it uses the return value to access the out-of-bound string position, just outside of the memory allocated and possibly located on a non-mapped memory area. The vulnerability is produced by an invalid access read. The function fragment where the vulnerability was found is showed: /----------- 31739CB4 MOV R1, R8 ; R1=string 31739CB8 MOV R2, R10 ; R10=string len 31739CBC MOV R3, R8 31739CC0 MOV R0, R4 31739CC4 BL WebCore::nextBreakablePosition(ushort const*,int,int,bool) 31739CC8 LDR R1, =0x1008 31739CCC MOV R3, R0,LSL#1 ; R0=returned position 31739CD0 MOV R5, R0 31739CD4 LDRH R0, [R4,R3] ; &lt;---- CRASH="" !!! 31739CD8 ADD R6, R4, R3 31739CDC BL _u_getIntPropertyValue 31739CE0 CMP R0, #0x1D 31739CE4 BHI loc_31739D1C - -----------/ The following proof of concept HTML code generates the string with length multiple of 4096 to demonstrate the bug. /----------- <html> <body> <form> <script type="text/javascript" language="JavaScript"> var st = "A"; alert ( "Crashing Safari on iPhone..." ); for ( var d = 1 ; d <= 16 ; d ++ ) { st += st; } alert ( st ); </script> </form> </body> </html> - -----------/ When debugging Safari on iPhone with 'iphonedbg'[1] the proof-of-concept produces the following output: /----------- ACCESS VIOLATION r0=00010000 r1=00001008 r2=00000041 r3=00020000 r4=02e00000 r5=00010000 r6=00000001 r7=2ffff04c r8=00000000 r9=3800da94 r10=00010000 r11=001833e0 r12=ffffffff sp=2fffe70c lr=31739cc8 pc=31739cd4 ctrl=60000010 WebCore!-[NSString(WebStringDrawing) _web_drawInRect:withFont:ellipsis:alignment:measureOnly:]+268: pc=31739cd4 b3 00 94 e1 ldrh r0, [r4, r3] - -----------/ It can be seen that the instruction 'ldrh r0, [r4, r3]' tries to read the memory location pointed by 'R4+R3', in this case, unmapped memory. Making a dump of the memory area accessed, we see the following: /----------- 31739cd4> db r4+r3-40 02e1ffc0 | 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 | A.A.A.A.A.A.A.A. 02e1ffd0 | 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 | A.A.A.A.A.A.A.A. 02e1ffe0 | 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 | A.A.A.A.A.A.A.A. 02e1fff0 | 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 | A.A.A.A.A.A.A.A. 02e20000 | ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? | ???????????????? 02e20010 | ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? | ???????????????? 02e20020 | ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? | ???????????????? 02e20030 | ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? | ???????????????? - -----------/ 9. *Report Timeline* 2008-07-21: Core notifies the vendor of the bug and sends the advisory draft (with PoC). Core states that version 1.1.4 and previous versions are affected. 2008-07-24: Core asks for confirmation of reception of the previous email. 2008-07-24: Vendor acknowledges and states that they will analyze the bug. 2008-07-29: Vendor confirms the existence of the bug, but doesn't consider that this client-side denial-of-service affects the security of the system. It communicates that version 2.0 is also affected and requests to wait until a patch is available before releasing the advisory. 2008-07-29: Core replies that further testing reveals that 2.0 is also affected (crash sent), that the issue is considered by Core as a security problem, and asks for concrete information regarding dates and versions of the patch. 2008-07-29: Vendor confirms that versions 1.1.4 and 2.0.0 are affected, and declines to provide an estimated date for the release of fixed versions at that moment. 2008-07-29: Core requests an estimation of when the update information will be available. 2008-08-04: Vendor replies that the timeframe will be communicated to Core as soon as they have it. 2008-08-26: Core asks for any update of the schedule to fix the DoS, and notifies the Vendor that the publication was rescheduled to September 16th. 2008-09-05: Vendor estimates that their patch and security bulletin would be released early on September 7th week. 2008-09-05: Core confirms that the advisory will be released as soon as the security bulletin is sent to Core. 2008-09-08: Core requests a more precise timing to the vendor. 2008-09-08: Vendor confirms that the Apple patch is not going out on Monday 8th, and requests Core to hold off the advisory until the Vendor's security bulletin is out. 2008-09-11: Core requests the vendor a new date for re-scheduling the publication of advisory CORE-2008-0603, notices that a security update has been released for iPod touch on September 9th without notification to Core and asks for details. 2008-09-12: Vendor responds that the update of September 9th fixes the bug for iPod touch and the update released on Friday 12th fixes it for iPhone. 2008-09-12: Core publishes advisory CORE-2008-0603. 10. *References* [1] iPhoneDbg Toolkit http://oss.coresecurity.com/projects/iphonedbg.html. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIyuMAyNibggitWa0RArBaAJ9NOuyo5DwXda571Ltra2BM4uZw+ACfYtCU 5pu4hSqtL8R+7syRM5nhnDQ= =i+Yt -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Buffer overflow in multiscan.exe in Check Point ZoneAlarm Security Suite 7.0.483.000 and 8.0.020.000 allows local users to execute arbitrary code via a file or directory with a long path. NOTE: some of these details are obtained from third party information. ZoneAlarm Security Suite is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input when performing virus scans on long directory paths. Remote attackers may leverage this issue to execute arbitrary code with SYSTEM-level privileges and gain complete access to the vulnerable computer. Failed attacks will cause denial-of-service conditions. This issue affects ZoneAlarm Security Suite 7.0.483.000; other versions may also be affected. ZoneAlarm is a personal computer firewall that protects personal data and privacy. ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: ZoneAlarm Internet Security Suite "multiscan.exe" Buffer Overflow SECUNIA ADVISORY ID: SA31832 VERIFY ADVISORY: http://secunia.com/advisories/31832/ CRITICAL: Less critical IMPACT: System access WHERE: >From remote SOFTWARE: ZoneAlarm Internet Security Suite 8.x http://secunia.com/advisories/product/19816/ ZoneAlarm Internet Security Suite 7.x http://secunia.com/advisories/product/19815/ DESCRIPTION: Juan Pablo Lopez Yacubian has discovered a vulnerability in ZoneAlarm Internet Security Suite, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in multiscan.exe when processing input from files passed via the "-f" command line parameter. This can be exploited to cause a buffer overflow by e.g. tricking a user into scanning a file or directory with a specially crafted name via the "Scan with ZoneAlam Anti-virus" shell extension. Successful exploitation may allow the execution of arbitrary code. The vulnerability is confirmed in version 7.0.483.000 and 8.0.020.000. SOLUTION: A solution is not available. PROVIDED AND/OR DISCOVERED BY: Juan Pablo Lopez Yacubian ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name. The 'libxml' library is prone to a heap-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary within the context of an application using the affected library. Failed exploit attempts will result in a denial-of-service vulnerability. The libxml package provides a library of functions that allow users to manipulate XML files, including support for reading, modifying, and writing XML and HTML files. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libxml2: Multiple vulnerabilities Date: December 02, 2008 Bugs: #234099, #237806, #239346, #245960 ID: 200812-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in libxml2 might lead to execution of arbitrary code or Denial of Service. Background ========== libxml2 is the XML (eXtended Markup Language) C parser and toolkit initially developed for the Gnome project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/libxml2 < 2.7.2-r1 >= 2.7.2-r1 Description =========== Multiple vulnerabilities were reported in libxml2: * Andreas Solberg reported that libxml2 does not properly detect recursion during entity expansion in an attribute value (CVE-2008-3281). * A heap-based buffer overflow has been reported in the xmlParseAttValueComplex() function in parser.c (CVE-2008-3529). * Christian Weiske reported that predefined entity definitions in entities are not properly handled (CVE-2008-4409). * Drew Yao of Apple Product Security reported an integer overflow in the xmlBufferResize() function that can lead to an infinite loop (CVE-2008-4225). * Drew Yao of Apple Product Security reported an integer overflow in the xmlSAX2Characters() function leading to a memory corruption (CVE-2008-4226). Impact ====== A remote attacker could entice a user or automated system to open a specially crafted XML document with an application using libxml2, possibly resulting in the exeution of arbitrary code or a high CPU and memory consumption. Workaround ========== There is no known workaround at this time. Resolution ========== All libxml2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.7.2-r1" References ========== [ 1 ] CVE-2008-3281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3281 [ 2 ] CVE-2008-3529 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529 [ 3 ] CVE-2008-4409 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4409 [ 4 ] CVE-2008-4225 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225 [ 5 ] CVE-2008-4226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . =========================================================== Ubuntu Security Notice USN-815-1 August 11, 2009 libxml2 vulnerabilities CVE-2008-3529, CVE-2009-2414, CVE-2009-2416 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libxml2 2.6.24.dfsg-1ubuntu1.5 Ubuntu 8.04 LTS: libxml2 2.6.31.dfsg-2ubuntu1.4 Ubuntu 8.10: libxml2 2.6.32.dfsg-4ubuntu1.2 Ubuntu 9.04: libxml2 2.6.32.dfsg-5ubuntu4.2 After a standard system upgrade you need to restart your sessions to effect the necessary changes. Details follow: It was discovered that libxml2 did not correctly handle root XML document element DTD definitions. (CVE-2009-2414) It was discovered that libxml2 did not correctly parse Notation and Enumeration attribute types. (CVE-2009-2416) USN-644-1 fixed a vulnerability in libxml2. This advisory provides the corresponding update for Ubuntu 9.04. Original advisory details: It was discovered that libxml2 did not correctly handle long entity names. (CVE-2008-3529) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.5.diff.gz Size/MD5: 62776 d89c05d4e7cf575a70f0f9d98db043c0 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.5.dsc Size/MD5: 902 5a6bda5a6cff7f1dd1b9ac5a4a4d3dee http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg.orig.tar.gz Size/MD5: 3293814 461eb1bf7f0c845f7ff7d9b1a4c4eac8 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.6.24.dfsg-1ubuntu1.5_all.deb Size/MD5: 1253066 7f0900285bcd5980021afb1187a65882 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.24.dfsg-1ubuntu1.5_all.deb Size/MD5: 19366 bdcb84dd5b172486d90babd60f7abe3e amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.24.dfsg-1ubuntu1.5_amd64.deb Size/MD5: 918870 5c542ff6be1ebfe37ed53fb5c42d4f9a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.24.dfsg-1ubuntu1.5_amd64.deb Size/MD5: 737430 1277b3e55c846153da8612c2b1bd6c05 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.24.dfsg-1ubuntu1.5_amd64.deb Size/MD5: 36698 941d28a2ab8c583df8ac8c4bd6053f7e http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.5_amd64.deb Size/MD5: 753036 159fc7694915d15d86868cbd34ff1ebb http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python2.4-libxml2_2.6.24.dfsg-1ubuntu1.5_amd64.deb Size/MD5: 181652 5e66ae52ee397d016840038de0a2f057 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.24.dfsg-1ubuntu1.5_i386.deb Size/MD5: 766190 9afc9a70749f02669713a807ceaf2ad3 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.24.dfsg-1ubuntu1.5_i386.deb Size/MD5: 642032 6e7ac3450d6220b0b5b827483622d145 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.24.dfsg-1ubuntu1.5_i386.deb Size/MD5: 32980 5fc874170294ea6f6c94a690a01dbad7 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.5_i386.deb Size/MD5: 685138 4a8510c2c2b66f6c55e4155af4c7e091 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python2.4-libxml2_2.6.24.dfsg-1ubuntu1.5_i386.deb Size/MD5: 166422 6cc5c19adb5ccb9db5fec9286790af1a powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.24.dfsg-1ubuntu1.5_powerpc.deb Size/MD5: 905098 dd7b7a8b76af164a73785d7c40be445c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.24.dfsg-1ubuntu1.5_powerpc.deb Size/MD5: 761238 2f407df0d47072583fdbc6465b744b6a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.24.dfsg-1ubuntu1.5_powerpc.deb Size/MD5: 37424 c584cfd1c16a16106d10a8d090aaccf0 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.5_powerpc.deb Size/MD5: 734090 42f54b7042c391a8326558cdc924fcc2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python2.4-libxml2_2.6.24.dfsg-1ubuntu1.5_powerpc.deb Size/MD5: 170808 8f4821f282453c7c516ba36e2c5fadd9 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.24.dfsg-1ubuntu1.5_sparc.deb Size/MD5: 745812 84c50f29ba04c9c815e561e9c9b825ee http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.24.dfsg-1ubuntu1.5_sparc.deb Size/MD5: 703538 3f2e7fbc56bf64aa9631c567852dadfd http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.24.dfsg-1ubuntu1.5_sparc.deb Size/MD5: 34312 540c1cb95cd95eafe94cad690e0c7ae2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.5_sparc.deb Size/MD5: 716890 41e8303a6e6d3fb335a2fb06b4e1bc7a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python2.4-libxml2_2.6.24.dfsg-1ubuntu1.5_sparc.deb Size/MD5: 174772 567a3fdd900bc9cb34e5f2f668e48851 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4.diff.gz Size/MD5: 66035 c629b5480445cc4380bf3bae181d8484 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4.dsc Size/MD5: 1072 67e7f23a4d73713a67233d554f6c8b5c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg.orig.tar.gz Size/MD5: 3442959 8498d4e6f284d2f0a01560f089cb5a3e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.6.31.dfsg-2ubuntu1.4_all.deb Size/MD5: 1302458 9454932b37039a5af38524f7c4c0b294 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_amd64.deb Size/MD5: 939490 5c561ccc0fe42d44216631b89b1addf2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.4_amd64.deb Size/MD5: 754024 1d43d32a7125d4b2ed113c7dbb469bdf http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.4_amd64.udeb Size/MD5: 580472 d2e2babcee294fdd0f202d5d122c0dd2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.4_amd64.deb Size/MD5: 37052 440a067962c6e1e7ffe17071bb33fd09 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4_amd64.deb Size/MD5: 832898 b129c03e0971727757567d89a6d32269 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_amd64.deb Size/MD5: 872964 86ab686a437dd9ed2b1ea08dbd5d9ba1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.4_amd64.deb Size/MD5: 297976 8acf0cdf5242fd3e6edd957db9e19c28 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_i386.deb Size/MD5: 904990 88fe3df363f8829fcfb9a0ff42aa4e96 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.4_i386.deb Size/MD5: 676490 641845452580108e68afbd1605af5744 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.4_i386.udeb Size/MD5: 533328 3e0d900bd1898de03a78fd408800d88e http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.4_i386.deb Size/MD5: 34042 2061451c337e1b12f73f9f91125aeda2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4_i386.deb Size/MD5: 786106 664fc7281611ad8b19e5f0b62284878f http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_i386.deb Size/MD5: 796320 1d531f46ab809a0f58ccdcf75f706ea5 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.4_i386.deb Size/MD5: 262966 d26ec52d81b118a64f13657db427f858 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_lpia.deb Size/MD5: 931054 830e464f765c3109497514d96295c932 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.4_lpia.deb Size/MD5: 679546 6f6ee1fe040963315471c2a2a15064d6 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.4_lpia.udeb Size/MD5: 529214 af124b039059f2f24f31c50fc8fbf48f http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.4_lpia.deb Size/MD5: 34488 ef4c4ea4e96d66c6d5c36e2645379915 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4_lpia.deb Size/MD5: 781436 ae5efc717942777be05db9c550d5ddd5 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_lpia.deb Size/MD5: 788580 c16e8d94ecb5f1a14655fc4d40671f97 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.4_lpia.deb Size/MD5: 259630 143a179bfbcff152d9f33c424ea80229 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_powerpc.deb Size/MD5: 923448 d3ca8a5978632bec93151a892072b5c4 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.4_powerpc.deb Size/MD5: 776284 92d1fb876bb167fccee4e5a6a82e8169 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.4_powerpc.udeb Size/MD5: 564078 9d75d8f965c320fd17dc2c420aa6e325 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.4_powerpc.deb Size/MD5: 42060 8bedb52b8485e7b65b930a39a671cbd8 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4_powerpc.deb Size/MD5: 816678 55d6f855ea9b7b14f2ce449079360f80 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_powerpc.deb Size/MD5: 841354 b66c89a166c8a92ed136f77e2693249b http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.4_powerpc.deb Size/MD5: 285362 adc160daa3848983f4ddb678c3345199 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_sparc.deb Size/MD5: 826326 f596d405cff24bfa70d8c2ff81e3439b http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.4_sparc.deb Size/MD5: 719830 b0cb8e2bbbec82604b5a562f3e446f78 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.4_sparc.udeb Size/MD5: 541066 f5796b6b3175b740eb55ab32887c98f1 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.4_sparc.deb Size/MD5: 36190 1e5ae0d677b95e4f5b69c86ab7207c04 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.4_sparc.deb Size/MD5: 793408 c10a54dbfe118a255b353b59fee0c895 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.4_sparc.deb Size/MD5: 807914 3566e097583445477cad63cd721424f1 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.4_sparc.deb Size/MD5: 277520 b0c2ed5aafa41ff970a5d8c40a12d02d Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2.diff.gz Size/MD5: 84498 bc3004e4fd1e98246801b2a5741be0f1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2.dsc Size/MD5: 1494 5a25281495f4e6650a45f45a5a8526d2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg.orig.tar.gz Size/MD5: 3425843 bb11c95674e775b791dab2d15e630fa4 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.6.32.dfsg-4ubuntu1.2_all.deb Size/MD5: 1308242 3aa37d0a971702bda21165e2744d3b15 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_amd64.deb Size/MD5: 1014608 676fed67244fe42800b527d2d654365f http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-4ubuntu1.2_amd64.deb Size/MD5: 777674 72fd0dc6223b0708f936bfbf830b42a4 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-4ubuntu1.2_amd64.udeb Size/MD5: 607400 82a0a91ff27913e1284ae7799156b9a5 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-4ubuntu1.2_amd64.deb Size/MD5: 37346 b71638a425beef5adb16962d2dbf83f8 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2_amd64.deb Size/MD5: 863410 2141203bc6e460099878831efdc9de8e http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_amd64.deb Size/MD5: 858904 3143613cc83f8f3b3fc171291e48f30c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-4ubuntu1.2_amd64.deb Size/MD5: 296128 4f123d82f7393dc6271adee9b0b2154b i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_i386.deb Size/MD5: 966962 48d67569f459f88564f282c5c7603eca http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-4ubuntu1.2_i386.deb Size/MD5: 701786 f31b1ec9b00b32aef5dab08de74c1ca5 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-4ubuntu1.2_i386.udeb Size/MD5: 563618 6c10444d19aa3010ec0b6afc46631442 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-4ubuntu1.2_i386.deb Size/MD5: 33908 218bd1ab9dbed3bb7e56db1f1ac74a6a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2_i386.deb Size/MD5: 819242 f2e5722dc46494b105d2e171a7ab8230 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_i386.deb Size/MD5: 782502 c6a12f97a9d05c420e87d98f3cebe292 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-4ubuntu1.2_i386.deb Size/MD5: 261340 c1e353abc1bdf4c56b856228ea92e3ce lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_lpia.deb Size/MD5: 994030 e6260d0cfcac28075fcbe72036374dc1 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-4ubuntu1.2_lpia.deb Size/MD5: 697648 2e04c962dc20e83f635a5bf06fb87691 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-4ubuntu1.2_lpia.udeb Size/MD5: 553402 8998361080659f8d3175d3621261805a http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-4ubuntu1.2_lpia.deb Size/MD5: 34092 da760a43ac9492e508c6dc6c85499a95 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2_lpia.deb Size/MD5: 808888 d3708ffd4d87a2c48c6c37badb602ec5 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_lpia.deb Size/MD5: 776836 ff4dee115d09816a99b2c7ea63e4fd10 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-4ubuntu1.2_lpia.deb Size/MD5: 257710 6e2cf4776d778dc7ce2d2a7c098c5bd7 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_powerpc.deb Size/MD5: 985370 5f1c540dbfecf08d6ccc22798beb7d0d http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-4ubuntu1.2_powerpc.deb Size/MD5: 793178 980f65e0877f36d1c51241ca6e8a4e79 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-4ubuntu1.2_powerpc.udeb Size/MD5: 582030 439fe7ebaebd3e5e3c9ca5b323595da6 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-4ubuntu1.2_powerpc.deb Size/MD5: 40426 648c47236b411a6b5ccbbe4ca4671af7 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2_powerpc.deb Size/MD5: 837942 7a59d92fe6c31895aadc67df56e404b2 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_powerpc.deb Size/MD5: 822784 44a72a4996bca847bea424ad1db4d03b http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-4ubuntu1.2_powerpc.deb Size/MD5: 283028 9423c0b24aab87ffac1d85615282e38d sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_sparc.deb Size/MD5: 872662 fcc9c2574a5f8f9aeee5be43cedd9542 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-4ubuntu1.2_sparc.deb Size/MD5: 730988 dab6026cfeee8b30a3d7d7a989621cc1 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-4ubuntu1.2_sparc.udeb Size/MD5: 551174 de8a4e5e3c69eda8a888e2a4be0d8771 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-4ubuntu1.2_sparc.deb Size/MD5: 36538 b1c42f5d79806ca0ddb842d6e46589e4 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-4ubuntu1.2_sparc.deb Size/MD5: 807300 2ec0838cfed794ad0dfba8e6c2f8f5a6 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-4ubuntu1.2_sparc.deb Size/MD5: 795578 5177c5c668b1cb6ab972a42ba74ce69b http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-4ubuntu1.2_sparc.deb Size/MD5: 275720 848f0e32688509c20e716bf56854b3c2 Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2.diff.gz Size/MD5: 86115 e8ae94cf06df5aa69bcb4e9e3478dc3a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2.dsc Size/MD5: 1494 59db95aea21b88b40de41b4eb6286204 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg.orig.tar.gz Size/MD5: 3425843 bb11c95674e775b791dab2d15e630fa4 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.6.32.dfsg-5ubuntu4.2_all.deb Size/MD5: 1309904 8a177134aefda1c1803ee8cea7876987 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_amd64.deb Size/MD5: 1014666 7eecb75acf8cfe96f0d8ad00dc6cd0f7 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5ubuntu4.2_amd64.deb Size/MD5: 777666 303a6a64d87e0666177f9ee63cf1a03c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-5ubuntu4.2_amd64.udeb Size/MD5: 607592 f0abee0ba9c7cac159aa282ff04b968d http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5ubuntu4.2_amd64.deb Size/MD5: 37356 e60cf6a423c951786da162ffe21132a1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2_amd64.deb Size/MD5: 864536 fd1367706366bfd805f692c39f331835 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_amd64.deb Size/MD5: 863456 0e646ecc8d3e8e72fc65739a4bae3de9 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5ubuntu4.2_amd64.deb Size/MD5: 359004 6541b0c12852c3e490ddb20c06448eae i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_i386.deb Size/MD5: 967152 3bc76bac8a99f2bceca5169cf9394f2c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5ubuntu4.2_i386.deb Size/MD5: 701712 b3aa303a9b2fcdcbdcb62595a6876f86 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-5ubuntu4.2_i386.udeb Size/MD5: 563692 fbda90721b32837d401f72def5bae5d4 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5ubuntu4.2_i386.deb Size/MD5: 33904 a3323cb518af641c59ea45369a65746f http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2_i386.deb Size/MD5: 820722 d26fe8acb0a5aee307d06edae3e7e28a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_i386.deb Size/MD5: 785386 afdcafaa8bac5e88aa4a13e0d749b2ea http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5ubuntu4.2_i386.deb Size/MD5: 324412 bae919ee044ef9aaf19656b9d1976b19 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_lpia.deb Size/MD5: 994408 53e4d8355d376154e295df19d3a3c60d http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5ubuntu4.2_lpia.deb Size/MD5: 697522 5222a56651f77e522ca0ad1c6d6d5de6 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-5ubuntu4.2_lpia.udeb Size/MD5: 553434 48f46f951b7ebc278e84ad661d306f19 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5ubuntu4.2_lpia.deb Size/MD5: 34098 60966a769f8d75d8bc8253c687e38244 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2_lpia.deb Size/MD5: 810434 585824abaa30b7726f8e7beeae6150eb http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_lpia.deb Size/MD5: 778354 6588b53390d8a294fc18ab6624e6c7c1 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5ubuntu4.2_lpia.deb Size/MD5: 320608 cb34801b64a53678cc553625fec3feaf powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_powerpc.deb Size/MD5: 985248 ecf8b6d8401aebd949116cb0169a96fe http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5ubuntu4.2_powerpc.deb Size/MD5: 793242 1fc757dad96c16d285df20a5137af4c6 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-5ubuntu4.2_powerpc.udeb Size/MD5: 582210 87a282cc9ab3bf5af1015ce0624d01d9 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5ubuntu4.2_powerpc.deb Size/MD5: 40434 3e24add8c4c0aaf0b7931dd185394d6d http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2_powerpc.deb Size/MD5: 839218 0b75a09404be80b49058058c2aa6e746 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_powerpc.deb Size/MD5: 825710 58709b2af622ff835b15f799cd47fcfe http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5ubuntu4.2_powerpc.deb Size/MD5: 344720 c07c4729d2191cf51d85654a83e8faf2 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_sparc.deb Size/MD5: 872512 b6f95a836cabc34e1266b76cc250a9e0 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5ubuntu4.2_sparc.deb Size/MD5: 730870 607909857dea94afe8102a7131595252 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.32.dfsg-5ubuntu4.2_sparc.udeb Size/MD5: 551000 7fbe08e3223c9543645eadb4b9e0167a http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5ubuntu4.2_sparc.deb Size/MD5: 36486 c3540c5aadb1adc3f85f6276a1980d0c http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.32.dfsg-5ubuntu4.2_sparc.deb Size/MD5: 807954 a3ac3191b768e4b6e1e7b1c279b26a13 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.32.dfsg-5ubuntu4.2_sparc.deb Size/MD5: 798558 dd9c4b6bf81302a938f71ed0f9cf47c8 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5ubuntu4.2_sparc.deb Size/MD5: 338152 674bae887b0ae673dd4732498c5a738c . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:192 http://www.mandriva.com/security/ _______________________________________________________________________ Package : libxml2 Date : September 11, 2008 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: A heap-based buffer overflow was found in how libxml2 handled long XML entity names. The updated packages have been patched to prevent this issue. As well, the patch to fix CVE-2008-3281 has been updated to remove the hard-coded entity limit that was set to 5M, instead using XML entity density heuristics. Many thanks to Daniel Veillard of Red Hat for his hard work in tracking down and dealing with the edge cases discovered with the initial fix to this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 9250adec77a5118119d5000f2305540f 2007.1/i586/libxml2-2.6.27-3.4mdv2007.1.i586.rpm 103dba08606f0038f3a9f4107ceba442 2007.1/i586/libxml2-devel-2.6.27-3.4mdv2007.1.i586.rpm a388bf596ef6725fb5baadb4e056a0bd 2007.1/i586/libxml2-python-2.6.27-3.4mdv2007.1.i586.rpm d2333e42a538101e36eab7d12467e08b 2007.1/i586/libxml2-utils-2.6.27-3.4mdv2007.1.i586.rpm 94a25c63f54693b7ac289223a6a3a687 2007.1/SRPMS/libxml2-2.6.27-3.4mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 343f8656039b69716fe712eeb2d1bf4e 2007.1/x86_64/lib64xml2-2.6.27-3.4mdv2007.1.x86_64.rpm 320d8dd8245f5ec6db46bedaf07afb3e 2007.1/x86_64/lib64xml2-devel-2.6.27-3.4mdv2007.1.x86_64.rpm fb6f52df6831cda42db46502cc761475 2007.1/x86_64/lib64xml2-python-2.6.27-3.4mdv2007.1.x86_64.rpm 8440fc08fee99f18a81a32035fac166a 2007.1/x86_64/libxml2-utils-2.6.27-3.4mdv2007.1.x86_64.rpm 94a25c63f54693b7ac289223a6a3a687 2007.1/SRPMS/libxml2-2.6.27-3.4mdv2007.1.src.rpm Mandriva Linux 2008.0: c53b40d9c7ebec036f9175c8f4e87b3b 2008.0/i586/libxml2_2-2.6.30-1.4mdv2008.0.i586.rpm 4a4ed97086b52cab3bbd34fe4d7003a0 2008.0/i586/libxml2-devel-2.6.30-1.4mdv2008.0.i586.rpm d3898465dc2797a2b20be8310dd4f484 2008.0/i586/libxml2-python-2.6.30-1.4mdv2008.0.i586.rpm 34c524fa03b470093bd0b0c679bcb9c4 2008.0/i586/libxml2-utils-2.6.30-1.4mdv2008.0.i586.rpm 2dc2f4732992e27aea4c5a098c631ae8 2008.0/SRPMS/libxml2-2.6.30-1.4mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 20ac98b346a1f18b90504cb623c530d8 2008.0/x86_64/lib64xml2_2-2.6.30-1.4mdv2008.0.x86_64.rpm fd5907e801bf4f64ee79d097fcaec2b6 2008.0/x86_64/lib64xml2-devel-2.6.30-1.4mdv2008.0.x86_64.rpm 20f45401e501b9639a9b53d82a4e031f 2008.0/x86_64/libxml2-python-2.6.30-1.4mdv2008.0.x86_64.rpm 22be20e194ba2177a47d831ee8c82f47 2008.0/x86_64/libxml2-utils-2.6.30-1.4mdv2008.0.x86_64.rpm 2dc2f4732992e27aea4c5a098c631ae8 2008.0/SRPMS/libxml2-2.6.30-1.4mdv2008.0.src.rpm Mandriva Linux 2008.1: 61e96824adc6e61b2764bb3a85e2e76d 2008.1/i586/libxml2_2-2.6.31-1.3mdv2008.1.i586.rpm 6d0cc51d32c7b6ecd609250aad302034 2008.1/i586/libxml2-devel-2.6.31-1.3mdv2008.1.i586.rpm 1e7c4ddd30677789de05cc464dde9790 2008.1/i586/libxml2-python-2.6.31-1.3mdv2008.1.i586.rpm edd477e34b08f94956eeedd387b5e509 2008.1/i586/libxml2-utils-2.6.31-1.3mdv2008.1.i586.rpm b1078a83185c1c97fada7ea5e97df753 2008.1/SRPMS/libxml2-2.6.31-1.3mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 9d25e809ad31decb111a38301b2a74c1 2008.1/x86_64/lib64xml2_2-2.6.31-1.3mdv2008.1.x86_64.rpm f35af82dffc02628edb1ce03113c3ba0 2008.1/x86_64/lib64xml2-devel-2.6.31-1.3mdv2008.1.x86_64.rpm 5819b393de9ff05be4d670c8e5d36080 2008.1/x86_64/libxml2-python-2.6.31-1.3mdv2008.1.x86_64.rpm fb670bfb1a1673f99f3c3fc3a72b7777 2008.1/x86_64/libxml2-utils-2.6.31-1.3mdv2008.1.x86_64.rpm b1078a83185c1c97fada7ea5e97df753 2008.1/SRPMS/libxml2-2.6.31-1.3mdv2008.1.src.rpm Corporate 3.0: 82e733037c09b4b7770f5325c7ed1325 corporate/3.0/i586/libxml2-2.6.6-1.5.C30mdk.i586.rpm d66da7916f188883fd164cb250431bba corporate/3.0/i586/libxml2-devel-2.6.6-1.5.C30mdk.i586.rpm 5df28181424b19132bbff6afa872475a corporate/3.0/i586/libxml2-python-2.6.6-1.5.C30mdk.i586.rpm f7a86c3be6e4926fa101386a9cbbcbdd corporate/3.0/i586/libxml2-utils-2.6.6-1.5.C30mdk.i586.rpm c64826e1b31ed0c5d4514780ecd52e2e corporate/3.0/SRPMS/libxml2-2.6.6-1.5.C30mdk.src.rpm Corporate 3.0/X86_64: 76e631bd88c68085dc2c5702235c2a99 corporate/3.0/x86_64/lib64xml2-2.6.6-1.5.C30mdk.x86_64.rpm 827f9f5bc3a1b869353e3c09879ea432 corporate/3.0/x86_64/lib64xml2-devel-2.6.6-1.5.C30mdk.x86_64.rpm caafa3371f80f084e8a945b3114b4533 corporate/3.0/x86_64/lib64xml2-python-2.6.6-1.5.C30mdk.x86_64.rpm e37a70f9cd13a7e00982387a9ba97726 corporate/3.0/x86_64/libxml2-utils-2.6.6-1.5.C30mdk.x86_64.rpm c64826e1b31ed0c5d4514780ecd52e2e corporate/3.0/SRPMS/libxml2-2.6.6-1.5.C30mdk.src.rpm Corporate 4.0: 74eea161b5519eef6c16b2407126a847 corporate/4.0/i586/libxml2-2.6.21-3.4.20060mlcs4.i586.rpm 5d8d1e0e487022687c1c61fbaf91707e corporate/4.0/i586/libxml2-devel-2.6.21-3.4.20060mlcs4.i586.rpm d5aa677468c9e8baae074a12f6c63c00 corporate/4.0/i586/libxml2-python-2.6.21-3.4.20060mlcs4.i586.rpm d51b4b902bb911be69f6a17aeb07d8cf corporate/4.0/i586/libxml2-utils-2.6.21-3.4.20060mlcs4.i586.rpm ce28651304236296e59d6d3be5525889 corporate/4.0/SRPMS/libxml2-2.6.21-3.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 812f2ae0ffa7a72546b07bd7de174453 corporate/4.0/x86_64/lib64xml2-2.6.21-3.4.20060mlcs4.x86_64.rpm 23ae06098f957e46affa75220cac50af corporate/4.0/x86_64/lib64xml2-devel-2.6.21-3.4.20060mlcs4.x86_64.rpm 93cb252dadfadd4249062f903e604f82 corporate/4.0/x86_64/lib64xml2-python-2.6.21-3.4.20060mlcs4.x86_64.rpm aeff512a1b349108017e93633fabcf08 corporate/4.0/x86_64/libxml2-utils-2.6.21-3.4.20060mlcs4.x86_64.rpm ce28651304236296e59d6d3be5525889 corporate/4.0/SRPMS/libxml2-2.6.21-3.4.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIyaCLmqjQ0CJFipgRApioAJ9P7O5hzNQ4UuYvEIhTVLyyn9Tv9wCg4DSp mZuI5mJOfDomJXN1l5E7NSw= =tPwM -----END PGP SIGNATURE----- . This could allow the execution of arbitrary code via a malicious XML file. For the stable distribution (etch), this problem has been fixed in version 2.6.27.dfsg-5. For the unstable distribution (sid), this problem has been fixed in version 2.6.32.dfsg-4. We recommend that you upgrade your libxml2 package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5.diff.gz Size/MD5 checksum: 220443 48cafbb8d1bd2c6093339fea3f14e4a0 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg.orig.tar.gz Size/MD5 checksum: 3416175 5ff71b22f6253a6dd9afc1c34778dec3 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5.dsc Size/MD5 checksum: 893 0dc1f183dd20741e5b4e26a7f8e1c652 Architecture independent packages: http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-doc_2.6.27.dfsg-5_all.deb Size/MD5 checksum: 1328144 c1c5f0ceb391893a94e61c074b677ee9 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 820850 fac5556241bb0fde20913f25fb9c73ac http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 37980 725b1c6925e610b5843ba0ad554dc7bc http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 184754 5ccbaf07b44dcfe528167074050bf270 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 916830 17d71480b7e2a447dabde99c11d752fa http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 881834 cac19a28b37f7afb9e07966f44ddd5b2 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 184130 a13372752d162d0fb2ccd58da6b73e20 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 36684 8a0265229bebf9245dc7bb7cc6f41d36 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 796194 6019e59020269cca8fa8fea40f83c118 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 891922 606fc28448bead2709c39a1d3e529a25 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 745758 95bd39eb2818772c43c3351b22326fcd arm architecture (ARM) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 741876 1b670c6bac3aa9f7df28f7ea3f1e5725 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 34678 9a992dc251b137a919a813eed2af8489 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 165290 732b4e94b91a086c6b950d187af160bc http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 817514 299c93a812ac02a8aa9da88f4cb5aedf http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 673192 d2ff2c26ee8dae05f81c24aa6dfce9b5 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_hppa.deb Size/MD5 checksum: 191876 4d2e33090237b47bc10e9526329f0bc5 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_hppa.deb Size/MD5 checksum: 36708 0ebf8554c5a0e873b128d52ceafccdfd http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_hppa.deb Size/MD5 checksum: 850210 bde343770ac9a7bd458e68a60c2b8434 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_hppa.deb Size/MD5 checksum: 858660 88f67d0d2aff41333ca2f4d4b2d6b5b2 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_hppa.deb Size/MD5 checksum: 864474 489dbd9d677c274c07abb88d0f23b969 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_i386.deb Size/MD5 checksum: 755986 9fdf341ede17d7790202229db9cc1353 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_i386.deb Size/MD5 checksum: 169032 272c6be290817bf9cb8b401425fd83d5 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_i386.deb Size/MD5 checksum: 681472 d8a0611d638e0553da64a218fbcf291a http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_i386.deb Size/MD5 checksum: 857318 6946048170dd7d142c03c13794c30d6f http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_i386.deb Size/MD5 checksum: 34496 3e3674a714f780024630ad1a2ca46eab ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_ia64.deb Size/MD5 checksum: 1106480 03e08564e2bf843905daecdd7c5cc4c4 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_ia64.deb Size/MD5 checksum: 874222 ed9ab6fa068a5b07c22ec1c10db8e0ab http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_ia64.deb Size/MD5 checksum: 1080186 defc5f4f9eb80872a793cc025e33a111 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_ia64.deb Size/MD5 checksum: 48492 5a567323dc0bf8159a6eae87957266d5 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_ia64.deb Size/MD5 checksum: 196536 cdbb137c8bb31cf29114673c4cb28e67 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_mips.deb Size/MD5 checksum: 34418 4a05346cb2fc6c314e7e8aef21662469 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_mips.deb Size/MD5 checksum: 171678 c94bfffc6bde639623ce9a91028960e5 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_mips.deb Size/MD5 checksum: 926922 ddc8ff03120dd78869830d38a5e8708d http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_mips.deb Size/MD5 checksum: 840642 57f2ea24a31904c4b07531f6292a4a8e http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_mips.deb Size/MD5 checksum: 770246 20ba2586e1406d66bd34642f13265dcf mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_mipsel.deb Size/MD5 checksum: 34398 9f0ebfb1dc37496e6b7a4e9963ffaeff http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_mipsel.deb Size/MD5 checksum: 898346 29680d5d5baa66e251e71f55aa128e3c http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_mipsel.deb Size/MD5 checksum: 768976 8f6464a0ef61b3ddcd271652a01c7469 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_mipsel.deb Size/MD5 checksum: 833252 5c83c05d44526479e7c550fd0d8cbdbe http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_mipsel.deb Size/MD5 checksum: 168690 eb56cb1ea49795d0a5a18af468625941 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_powerpc.deb Size/MD5 checksum: 898010 c3d61392afcb383d0f27d5f91fda721d http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_powerpc.deb Size/MD5 checksum: 770994 94ef895f8942b880e8823e10420120e6 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_powerpc.deb Size/MD5 checksum: 172726 5d097f0290be2bab9b93287bad07e83f http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_powerpc.deb Size/MD5 checksum: 37660 e977bc38e837077de7a006ef923b98bd http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_powerpc.deb Size/MD5 checksum: 779958 ad7245f8a9980d7f40234aefaf12a31b s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_s390.deb Size/MD5 checksum: 185726 91661276ed6cf371373b4e61805c81b8 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_s390.deb Size/MD5 checksum: 885618 218f2603ab94bf92ba45cd330fe15782 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_s390.deb Size/MD5 checksum: 806024 3abe21a0d756e5a0a2ca646f0ba32729 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_s390.deb Size/MD5 checksum: 36378 cbc5eb7e2f81adafeba8e857aee8c918 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_s390.deb Size/MD5 checksum: 750190 4172cb95d7aea2f9ee9331220cd5274c sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_sparc.deb Size/MD5 checksum: 781522 c20ea9c8ab0ec798488e68c845650036 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_sparc.deb Size/MD5 checksum: 713144 e0139b86fbf9644678c2c6de6462bff1 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_sparc.deb Size/MD5 checksum: 759568 7d46f7ceb214711851cc1f27edef2c48 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_sparc.deb Size/MD5 checksum: 34580 fceb65808b2c98f621d79352eea9d2d5 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_sparc.deb Size/MD5 checksum: 176874 f27821fe07861f2e71658bc3eb0a595e These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD4DBQFI9N2RwM/Gs81MDZ0RAqP7AJYxbWnJqF4zauFOietE80FTYW02AKDCOBt2 wvZ3MJ4FZeRn990jpLrh1A== =FZQi -----END PGP SIGNATURE-----