WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

Cisco IOS Malicious IPV4 Packet Sequence Denial Of Service Vulnerability

Risk
High

Date Discovered
07-16-2003

Description
A denial of service vulnerability has been reported to exist in all hardware platforms that run Cisco IOS versions 11.x through 12.x. This issue may be triggered by a sequence of specially crafted IPV4 packets. A power cycling of an affected device is required to regain normal functionality.

Components Affected
Cisco IOS 12.2ZJ
Cisco IOS 12.2ZE
Cisco IOS 12.2ZD
Cisco IOS 12.2ZC
Cisco IOS 12.2ZB
Cisco IOS 12.2ZA
Cisco IOS 12.2YZ
Cisco IOS 12.2YY
Cisco IOS 12.2YX
Cisco IOS 12.2YW
Cisco IOS 12.2YV
Cisco IOS 12.2YU
Cisco IOS 12.2YT
Cisco IOS 12.2YS
Cisco IOS 12.2YR
Cisco IOS 12.2YQ
Cisco IOS 12.2YP
Cisco IOS 12.2YO
Cisco IOS 12.2YN
Cisco IOS 12.2YM
Cisco IOS 12.2YL
Cisco IOS 12.2YK
Cisco IOS 12.2YJ
Cisco IOS 12.2XU
Cisco IOS 12.2SZ
Cisco IOS 12.2SY
Cisco IOS 12.2SX
Cisco IOS 12.2MX
Cisco IOS 12.2MC
Cisco IOS 12.2JA
Cisco IOS 12.2DX
Cisco IOS 12.2CY
Cisco IOS 12.2CX
Cisco IOS 12.2BW
Cisco IOS 12.1YJ
Cisco IOS 12.1T
Cisco IOS 12.1EV
Cisco IOS 12.1EB
Cisco IOS 12.1AY
Cisco IOS 12.1AX
Cisco IOS 12.0SZ
Cisco IOS 11.1 CA
Cisco IOS 11.2 P
Cisco IOS 11.2
Cisco IOS 11.3 T
Cisco IOS 11.3
Cisco IOS 12.0 XW
Cisco IOS 12.0 XV
Cisco IOS 12.0 XU
Cisco IOS 12.0 XS
Cisco IOS 12.0 XR
Cisco IOS 12.0 XQ
Cisco IOS 12.0 XP
Cisco IOS 12.0 XN
Cisco IOS 12.0 XM
Cisco IOS 12.0 XL
Cisco IOS 12.0 XK
Cisco IOS 12.0 XJ
Cisco IOS 12.0 XI
Cisco IOS 12.0 XH
Cisco IOS 12.0 XG
Cisco IOS 12.0 XF
Cisco IOS 12.0 XE
Cisco IOS 12.0 XD
Cisco IOS 12.0 XC
Cisco IOS 12.0 XB
Cisco IOS 12.0 XA
Cisco IOS 12.0 WT
Cisco IOS 12.0 WC
Cisco IOS 12.0 W5
Cisco IOS 12.0 T
Cisco IOS 12.0 SY
Cisco IOS 12.0 SX
Cisco IOS 12.0 ST
Cisco IOS 12.0 SP
Cisco IOS 12.0 SL
Cisco IOS 12.0 SC
Cisco IOS 12.0 S
Cisco IOS 12.0 DC
Cisco IOS 12.0 DB
Cisco IOS 12.0 DA
Cisco IOS 12.0
Cisco IOS 12.1 YI
Cisco IOS 12.1 YH
Cisco IOS 12.1 YF
Cisco IOS 12.1 YE
Cisco IOS 12.1 YD
Cisco IOS 12.1 YC
Cisco IOS 12.1 YB
Cisco IOS 12.1 XZ
Cisco IOS 12.1 XY
Cisco IOS 12.1 XX
Cisco IOS 12.1 XW
Cisco IOS 12.1 XV
Cisco IOS 12.1 XU
Cisco IOS 12.1 XT
Cisco IOS 12.1 XS
Cisco IOS 12.1 XR
Cisco IOS 12.1 XQ
Cisco IOS 12.1 XP
Cisco IOS 12.1 XM
Cisco IOS 12.1 XL
Cisco IOS 12.1 XK
Cisco IOS 12.1 XJ
Cisco IOS 12.1 XI
Cisco IOS 12.1 XH
Cisco IOS 12.1 XG
Cisco IOS 12.1 XF
Cisco IOS 12.1 XE
Cisco IOS 12.1 XD
Cisco IOS 12.1 XC
Cisco IOS 12.1 XB
Cisco IOS 12.1 XA
Cisco IOS 12.1 EY
Cisco IOS 12.1 EX
Cisco IOS 12.1 EW
Cisco IOS 12.1 EC
Cisco IOS 12.1 EA
Cisco IOS 12.1 E
Cisco IOS 12.1 DC
Cisco IOS 12.1 DB
Cisco IOS 12.1 DA
Cisco IOS 12.1 AA
Cisco IOS 12.1
Cisco IOS 12.2 YH
Cisco IOS 12.2 YG
Cisco IOS 12.2 YF
Cisco IOS 12.2 YD
Cisco IOS 12.2 YC
Cisco IOS 12.2 YB
Cisco IOS 12.2 YA
Cisco IOS 12.2 XW
Cisco IOS 12.2 XT
Cisco IOS 12.2 XS
Cisco IOS 12.2 XR
Cisco IOS 12.2 XQ
Cisco IOS 12.2 XN
Cisco IOS 12.2 XM
Cisco IOS 12.2 XL
Cisco IOS 12.2 XK
Cisco IOS 12.2 XJ
Cisco IOS 12.2 XI
Cisco IOS 12.2 XH
Cisco IOS 12.2 XG
Cisco IOS 12.2 XF
Cisco IOS 12.2 XE
Cisco IOS 12.2 XD
Cisco IOS 12.2 XC
Cisco IOS 12.2 XB
Cisco IOS 12.2 XA
Cisco IOS 12.2 T
Cisco IOS 12.2 S
Cisco IOS 12.2 MB
Cisco IOS 12.2 DD
Cisco IOS 12.2 DA
Cisco IOS 12.2 BZ
Cisco IOS 12.2 BX
Cisco IOS 12.2 BC
Cisco IOS 12.2 B
Cisco IOS 12.2

Recommendations
Implement multiple redundant layers of security.
Multiple diverse layers of network access control should be implemented to limit the consequences of one layer failing and to protect network devices from attacks by malicious parties. Redundant network devices should be deployed to mitigate the consequences of attacks that affect the availability of network resources.

Further information regarding obtaining and applying fixes and workarounds can be found in the attached Cisco security advisory (cisco-sa-20030717). Some releases may not be available at this time, so users should also consult the advisory for further details regarding the availability of fixed releases.

Symantec ManHunt 2.2
To detect activity associated with this threat, Symantec recommends enabling the HYBRID MODE function in Symantec ManHunt and apply the following custom rules: 

*******************start file********************

alert ip any any -> any any (msg:"Suspicious Traffic - IP Protocol 53 (SWIPE)"; ip_proto:53;)
alert ip any any -> any any (msg:"Suspicious Traffic - IP Protocol 55 (IP Mobility)"; ip_proto:55;)
alert ip any any -> any any (msg:"Suspicious Traffic - IP Protocol 77 (Sun ND)"; ip_proto:77;)
alert ip any any -> any any (msg:"Suspicious Traffic - IP Protocol 103 (PIM)"; ip_proto:103;)


*************EOF*********************
These signatures will trigger on the known vulnerable services. For more information on how to create custom signatures, refer to the "Symantec ManHunt Administrative Guide: Appendix A Custom Signatures for HYBRID Mode."

Symantec ManHunt 3.0
Symantec has release a Service Update for users of Symantec Manhunt 3.0. Click here for more information.

Symantec Gateway Security 1.0
Symantec has posted a LiveUpdate build containing signatures for this vulnerability. This was made available on the evening of 7/18/2003. Please run LiveUpdate to incorporate these signatures into your Symantec product.

References
Source: Cisco Homepage
URL: http://www.cisco.com

Source: Cisco Product Security Advisories and Notices
URL: http://www.cisco.com/warp/public/707/advisory.html

Source: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet
URL: http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

Credits
This vulnerability was announced by the vendor.

Copyright (c) 2003 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Site Map · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2008 Symantec Corporation