Mail-Followup-To: Dmitri Kalintsev <dek@hades.uz>, inet-admins@info.east.ru
User-Agent: Mutt/1.2.5i
Тем, кто не читает cisco-nsp, посвящается:
----- Forwarded message from Cisco Systems Product Security Incident Response Team <psirt@cisco.com> -----
> Date: Thu, 10 May 2001 09:30:00 -0700 (PDT)
> From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
> Subject: [nsp] Cisco Security Advisory: Cisco IOS BGP Attribute Corruption Vulnerability
> To: cisco-nsp@puck.nether.net
> Cc: psirt@cisco.com
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Cisco Security Advisory: Cisco IOS BGP Attribute Corruption Vulnerability
> =========================================================================
> Revision 1.0
>
> For Public Release 2001 May 10 08:00 AM US/Pacific (UTC -0700)
>
> ------------------------------------------------------------------------
>
> Summary
> =======
>
> A Border Gateway Protocol (BGP) UPDATE contains Network Layer
> Reachability Information (NLRI) and attributes that describe the path to
> the destination. An unrecognized transitive attribute can cause failures in
> Cisco IOS routers, ranging from a crash upon receipt of the unrecognized
> transitive attribute, to a later failure upon attempt to clear the
> unrecognized transitive attribute. Specific but common configurations are
> affected, and described below. The failure was discovered because of a
> malfunction in the BGP implementation of another vendor. There is no
> workaround. Affected customers are urged to upgrade to fixed code.
>
> This vulnerability has been assigned Cisco bug ID CSCdt79947.
>
> The complete text of this advisory will be located at
>
>
> Affected Products
> =================
>
> Configurations including BGP4 Prefix Filtering with Inbound Route Maps are
> vulnerable. BGP with prefix or inbound routemap filtering was introduced
> in Cisco IOS╝ Software version 11.2 The following versions of Cisco IOS
> Software are affected and listed in the table below: 11.CC and its
> derivatives, 11.2 and its derivaties, 11.3, 11.3T, 12.0, 12.0S and special
> branches taken out of 12.0 are all affected. The versions of Cisco IOS
> Software based on 12.1, 12.0(5)T, 12.2, 12.0ST, and 12.1(E) are not
> affected. The following products are affected if they run a Cisco IOS
> software release that has the defect. To determine if a Cisco product is
> running an affected IOS, log in to the device and issue the show version
> command. Cisco IOS software will identify itself as "Internetwork Operating
> System Software" or "IOS (tm)" software and will display a version number.
> Other Cisco devices either will not have the show version command, or will
> give different output. Compare the version number obtained from the router
> with the versions presented in the Software Versions and Fixes section
> below.
>
> Cisco devices that may be running with affected Cisco IOS software releases
> include:
>
> * Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000,
> 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500,
> 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and
> 12000 series.
>
> Cisco devices that may be running Cisco IOS Software, but do NOT support
> BGP and are therefore not vulnerable include:
>
> * Most recent versions of the LS1010 ATM switch.
> * The Catalyst 2900XL LAN switch only if it is running IOS.
> * The Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches.
> * The Cisco DistributedDirector.
>
> If you are not running Cisco IOS software, you are not affected by this
> vulnerability. If you are not running BGP, you are not affected by this
> vulnerability.
>
> Cisco products that do not run Cisco IOS software and are not affected by
> this defect include, but are not limited to:
>
> * 700 series dialup routers (750, 760, and 770 series) are not affected.
> * The Catalyst 6000 is not affected if it is not running IOS.
> * WAN switching products in the IGX and BPX lines are not affected.
> * The MGX (formerly known as the AXIS shelf) is not affected.
> * No host-based software is affected.
> * The Cisco PIX Firewall is not affected.
> * The Cisco LocalDirector is not affected.
> * The Cisco Cache Engine is not affected.
>
> Details
> =======
>
> A Border Gateway Protocol (BGP) UPDATE contains Network Layer Reachability
> Information (NLRI) and attributes that describe the path to the
> destination. Each path attribute is a type, length, value (TLV) object.
> This failure occurs as a result of memory corruption and only in
> configurations using specific inbound route filtering. The failure was
> discovered because of a malfunction in the BGP implementation of another
> vendor. There is no workaround.
>
> Impact
> ======
>
> The vulnerability can be exercised repeatedly, affecting core routers,
> creating widespread network outages. This vulnerability can only be
> exercised in configurations that include both BGP and inbound route
> filtering on affected software.
>
> Software Versions and Fixes
> ===========================
>
> The following table summarizes the Cisco IOS software releases that are
> known to be affected, and the earliest estimated dates of availability for
> the recommended fixed versions. Dates are always tentative and subject to
> change.
>
> Each row of the table describes a release train and the platforms or
> products for which it is intended. If a given release train is vulnerable,
> then the earliest possible releases that contain the fix and the
> anticipated date of availability for each are listed in the "Rebuild",
> "Interim", and "Maintenance" columns. A device running any release in the
> given train that is earlier than the release in a specific column (less
> than the earliest fixed release) is known to be vulnerable, and it should
> be upgraded at least to the indicated release or a later version (greater
> than the earliest fixed release label).
>
> When selecting a release, keep in mind the following definitions:
>
> Maintenance
> Most heavily tested and highly recommended release of any label
> in a given row of the table.
>
> Rebuild
> Constructed from the previous maintenance or major release in the
> same train, it contains the fix for a specific defect. Although
> it receives less testing, it contains only the minimal changes
> necessary to effect the repair.
>
> Interim
> Built at regular intervals between maintenance releases and
> receive less testing. Interims should be selected only if there
> is no other suitable release that addresses the vulnerability,
> and interim images should be upgraded to the next available
> maintenance release as soon as possible. Interim releases are not
> available via manufacturing, and usually they are not available
> for customer download from CCO without prior arrangement with the
> Cisco TAC.
>
> In all cases, customers should exercise caution to be certain the devices
> to be upgraded contain sufficient memory and that current hardware and
> software configurations will continue to be supported properly by the new
> release. If the information is not clear, contact the Cisco TAC for
> assistance as shown later in this notice.
>
> More information on Cisco IOS Software release names and abbreviations is
> available at
> .
>
>
> +===========================================================================+
> Train Description of Availability of Fixed Releases*
> Image or Platform
> +===========================================================================+
> 11.0-based Releases Rebuild Interim Maintenance
> +===========================================================================+
> 11.0 Major GD release Not vulnerable
> for all platforms
> +===========================================================================+
> 11.1-based Releases Rebuild Interim Maintenance
> +===========================================================================+
> 11.1 Major release for Not vulnerable
> all platforms
> +----------+------------------+-----------------+------------+--------------+
> ED release for
> 11.1AA access servers: Not vulnerable
> 1600, 3200, and
> 5200 series.
> +----------+------------------+-----------------+------------+--------------+
> Platform-specific End of Engineering
> 11.1CA support for 7500,
> 7200, 7000, and
> RSP Not scheduled
> +----------+------------------+-----------------+------------+--------------+
> ISP train: added
> support for FIB, 11.1(36)CC2
> 11.1CC CEF, and NetFlow
> on 7500, 7200, Not scheduled
> 7000, and RSP
> +----------+------------------+-----------------+------------+--------------+
> Added support for End of Engineering
> 11.1CT Tag Switching on
> 7500, 7200, 7000,
> and RSP Upgrade recommended to 12.0(14)ST
> +----------+------------------+-----------------+------------+--------------+
> 11.1IA Distributed Not Vulnerable
> Director only
> +===========================================================================+
> 11.2-based Releases Rebuild Interim Maintenance
> +===========================================================================+
> Major release, End of Engineering
> 11.2 general
> deployment Not scheduled
> +----------+------------------+-----------------+------------+--------------+
> Platform-specific
> support for IBM End of Engineering
> 11.2BC networking, CIP,
> and TN3270 on
> 7500, 7000, and Upgrade recommended to 12.1(8)
> RSP
> +----------+------------------+-----------------+------------+--------------+
> End of Engineering
> 11.2F Feature train for
> all platforms Upgrade recommended
> +----------+------------------+-----------------+------------+--------------+
> Early deployment End of Engineering
> 11.2GS release to
> support 12000 GSR Upgrade recommended to 12.0(17)S
> +----------+------------------+-----------------+------------+--------------+
> End of Engineering
> 11.2P New platform
> support Upgrade recommended to 12.0(17)
> +----------+------------------+-----------------+------------+--------------+
> 11.2SA Catalyst 2900XL Not vulnerable
> switch only
> +----------+------------------+-----------------+------------+--------------+
> 11.2WA3 LightStream 1010 Not vulnerable
> ATM switch
> +----------+------------------+-----------------+------------+--------------+
> Initial release End of Engineering
> 11.2(4)XAf for the 1600 and
> 3600 Upgrade recommended
> +----------+------------------+-----------------+------------+--------------+
> Initial release
> for the 5300 and End of Engineering
> 11.2(9)XA digital modem
> support for the Upgrade recommended
> 3600
> +===========================================================================+
> 11.3-based Releases Rebuild Interim Maintenance
> +===========================================================================+
> End of Engineering
> 11.3 Major release for
> all platforms Upgrade recommended to 12.0(17)
> +----------+------------------+-----------------+------------+--------------+
> ED for dial
> platforms and End of Engineering
> 11.3AA access servers:
> 5800, 5200, 5300, Upgrade recommended to 12.0(17)
> 7200
> +----------+------------------+-----------------+------------+--------------+
> Early deployment End of Engineering
> 11.3DA train for ISP
> DSLAM 6200
> platform Upgrade recommended to 12.1(5)DA1
> +----------+------------------+-----------------+------------+--------------+
> Early deployment
> train for End of Engineering
> ISP/Telco/PTT
> 11.3DB xDSL broadband
> concentrator
> platform, (NRP) Upgrade recommended to 12.1(4)DB1
> for 6400
> +----------+------------------+-----------------+------------+--------------+
> Short-lived ED End of Engineering
> 11.3HA release for ISR
> 3300 (SONET/SDH
> router) Upgrade recommended to 12.0
> +----------+------------------+-----------------+------------+--------------+
> MC3810 Not available
> 11.3MA functionality
> only Not scheduled
> +----------+------------------+-----------------+------------+--------------+
> Voice over IP, End of Engineering
> 11.3NA media
> convergence,
> various platforms Upgrade recommended to 12.0(5)T
> +----------+------------------+-----------------+------------+--------------+
> Early deployment End of Engineering
> 11.3T major release,
> feature-rich for
> early adopters Upgrade recommended to 12.0(17)
> +----------+------------------+-----------------+------------+--------------+
> Multilayer
> Switching and
> Multiprotocol End of Engineering
> over ATM
> 11.3WA4 functionality for
> Catalyst 5000
> RSM, 4500, 4700, Upgrade recommended
> 7200, 7500,
> LightStream 1010
> +----------+------------------+-----------------+------------+--------------+
> End of Engineering
> 11.3(2)XA Introduction of
> ubr7246 and 2600 Upgrade recommended
> +===========================================================================+
> 12.0-based Releases Rebuild Interim Maintenance
> +===========================================================================+
> General
> 12.0 deployment 12.0(17)
> release for all 2001-Apr-23
> platforms
> +----------+------------------+-----------------+------------+--------------+
> Unavailable
> 12.0DA xDSL support:
> 6100, 6200 Upgrade recommended to 12.1(5)DA1
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment
> (ED) release,
> which delivers Unavailable
> support for the
> 12.0DB Cisco 6400
> Universal Access
> Concentrator
> (UAC) for Node Upgrade recommended to 12.1(4)DB1
> Switch Processor
> (NSP)
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment
> (ED) release,
> which delivers Unavailable
> support for the
> 12.0DC Cisco 6400
> Universal Access
> Concentrator
> (UAC) for Node Upgrade recommended to 12.1(5)DC
> Route Processor
> (NRP)
> +----------+------------------+-----------------+------------+--------------+
> 12.0(15)S3, 12.0(17)S
> 12.0(16)S1 12.0(16.06)S 2001-May-07
> 12.0S Core/ISP support:
> GSR, RSP, c7200 2001-April-23
> 2001-April-30
> +----------+------------------+-----------------+------------+--------------+
> 12.0SC Cable/broadband Not vulnerable
> ISP: ubr7200
> +----------+------------------+-----------------+------------+--------------+
> 12.0SL 10000 ESR: c10k Not vulnerable
> +----------+------------------+-----------------+------------+--------------+
> Cisco IOS
> software
> Release12.0ST is
> an early
> deployment (ED)
> 12.0ST release for the Not vulnerable
> Cisco 7200,
> 7500/7000RSP and
> 12000 (GSR)
> series routers
> for Service
> Providers (ISPs).
> +----------+------------------+-----------------+------------+--------------+
> Early
> Deployment(ED):
> 12.0T VPN, Distributed 12.0(5)T
> Director, various
> platforms
> +----------+------------------+-----------------+------------+--------------+
> Catalyst
> switches: 12.0(10)W5(18g)
> cat2948g-l3, 2001-Apr-20
> cat4232
> 12.0W5 +------------------+-----------------+------------+--------------+
> cat8510c,
> cat8540c, c6msm, 12.0(16)W5(21)
> ls1010, cat8510m,
> cat8540m, c5atm 2001-May-21
> +----------+------------------+-----------------+------------+--------------+
> Catalyst
> 12.0WT switches: Not vulnerable
> cat4840g
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment Unavailable
> 12.0XA (ED): limited Upgrade recommended to 12.1(8), available
> platforms 2001-Apr-23
> +----------+------------------+-----------------+------------+--------------+
> Short-lived early Unavailable
> 12.0XB deployment Upgrade recommended to 12.1(8), available
> release 2001-Apr-23
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment Unavailable
> 12.0XC (ED): limited Upgrade recommended to 12.1(8), available
> platforms 2001-Apr-23
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment Unavailable
> 12.0XD (ED): limited Upgrade recommended to 12.1(8), available
> platforms 2001-Apr-23
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment
> 12.0XE (ED): limited Not Vulnerable
> platforms
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment Unavailable
> 12.0XF (ED): limited Upgrade recommended to 12.1(8), available
> platforms 2001-Apr-23
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment Unavailable
> 12.0XG (ED): limited Upgrade recommended to 12.1(8), available
> platforms 2001-Apr-23
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment Unavailable
> 12.0XH (ED): limited Upgrade recommended to 12.1(8), available
> platforms 2001-Apr-23
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment Unavailable
> 12.0XI (ED): limited Upgrade recommended to 12.1(8), available
> platforms 2001-Apr-23
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment Unavailable
> 12.0XJ (ED): limited Upgrade recommended to 12.1(8), available
> platforms 2001-Apr-23
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment
> 12.0XK (ED): limited Not vulnerable
> platforms
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment
> 12.0XL (ED): limited Not vulnerable
> platforms
> +----------+------------------+-----------------+------------+--------------+
> Short-lived early
> 12.0XM deployment Not vulnerable
> release
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment
> 12.0XN (ED): limited Not vulnerable
> platforms
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment
> 12.0XP (ED): limited Not vulnerable
> platforms
> +----------+------------------+-----------------+------------+--------------+
> Short-lived early
> 12.0XQ deployment Not vulnerable
> release
> +----------+------------------+-----------------+------------+--------------+
> Short-lived early
> 12.0XR deployment Not vulnerable
> release
> +----------+------------------+-----------------+------------+--------------+
> Short-lived early
> 12.0XS deployment Not vulnerable
> release
> +----------+------------------+-----------------+------------+--------------+
> Early Deployment
> 12.0XU (ED): limited Not vulnerable
> platforms
> +----------+------------------+-----------------+------------+--------------+
> Short-lived early
> 12.0XV deployment Not vulnerable
> release
> +===========================================================================+
> 12.1-based and Later
> Releases Rebuild Interim Maintenance
> +===========================================================================+
> General
> 12.1 deployment Not vulnerable
> release for all
> platforms
> +===========================================================================+
> Notes
> +===========================================================================+
> * All dates are estimated and subject to change.
>
> ** Interim releases are subjected to less rigorous testing than regular
> maintenance releases, and may have serious bugs.
> +===========================================================================+
>
> Getting Fixed Software
>
> Cisco is offering free software upgrades to remedy this vulnerability for
> all affected customers.
>
> Customers with contracts should obtain upgraded software through their
> regular update channels. For most customers, this means that upgrades
> should be obtained via the Software Center on Cisco's Worldwide Web site at
> .
>
> Customers without contracts should get their upgrades by contacting the
> Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
>
> * +1 800 553 2447 (toll-free from within North America)
> * +1 408 526 7209 (toll call from anywhere in the world)
> * e-mail: tac@cisco.com
>
> See for
> additional TAC contact information, including instructions and e-mail
> addresses for use in various languages.
>
> Give the URL of this notice as evidence of your entitlement to a free
> upgrade. Free upgrades for non-contract customers must be requested through
> the TAC. Please do not contact either "psirt@cisco.com" or
> "security-alert@cisco.com" for software upgrades.
>
> Workarounds
> ===========
>
> There are no known workarounds for this vulnerablity. Please upgrade to
> fixed versions.
>
> Exploitation and Public Announcements
> =====================================
>
> Cisco has had no reports of malicious exploitation of this vulnerability.
> The failure was discovered because of a malfunction in the BGP
> implementation of another vendor, which caused a series of crashes that led
> to the identification of this issue.
>
> Cisco knows of no public announcements of this vulnerability before the
> date of this notice.
>
> Status of This Notice: FINAL
> ============================
>
> This is a final notice. Although Cisco cannot guarantee the accuracy of all
> statements in this notice, all of the facts have been checked to the best
> of our ability. Cisco does not anticipate issuing updated versions of
> this notice unless there is some material change in the facts. Should there
> be a significant change in the facts, Cisco may update this notice.
>
>
> Distribution
> ============
>
> This notice will be posted on Cisco's Worldwide Web site at
> . In
> addition to Worldwide Web posting, a text version of this notice is
> clear-signed with the Cisco PSIRT PGP key and is posted to the following
> e-mail and Usenet news recipients:
>
> * cust-security-announce@cisco.com
> * bugtraq@securityfocus.com
> * firewalls@lists.gnac.com
> * first-teams@first.org (includes CERT/CC)
> * cisco@spot.colorado.edu
> * cisco-nsp@puck.nether.net
> * comp.dcom.sys.cisco
> * Various internal Cisco mailing lists
>
> Future updates of this notice, if any, will be placed on Cisco's Worldwide
> Web server, but may or may not be actively announced on mailing lists or
> newsgroups. Users concerned about this problem are encouraged to check the
> URL given above for any updates.
>
> Revision History
> ================
>
> Revision Number1.0 Initial Public Release
>
> Cisco Security Procedures
> =========================
>
> Complete information on reporting security vulnerabilities in Cisco
> products, obtaining assistance with security incidents, and registering to
> receive security information from Cisco, is available on Cisco's Worldwide
> Web site at
> . This
> includes instructions for press inquiries regarding Cisco security notices.
>
> ------------------------------------------------------------------------
>
> This notice is Copyright 2001 by Cisco Systems, Inc. This notice may be
> redistributed freely after the release date given at the top of the text,
> provided that redistributed copies are complete and unmodified, and include
> all date and version information.
>
> ------------------------------------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.0.2
>
> iQEVAwUBOvq502iN3BRdFxkbAQGsoAgAobybfBon3AVfLjtK617EnosH1bQiS8eC
> ccC+7a96t4anrVrPpipGoocTlUbL/Q1wKw9N37WWeSEWksqN8HQ3kPmdbVzkOxP9
> TyK+sSMnTID546jpyYjWaVJe8XByuN0aejortedXQsXRFvIdu9LnHssJkTozmdHx
> JGN8V0mSVgPuyh/LrFctHkQs73clIVBLS/O7D5fni4XjxaDwPp2JooeFwPlNTSeg
> d2oI3ZZ6cVww4wWCBq3IfcMFSroVwWf9DS/zkJOPFAa/2GXmE0WZ+yIbnjx6tIQL
> Z0aMWV2H6qo7M+80AxRVf8wDKJwERyNo9NXWt6w1qxg1SU60PUSrBg==
> =lhEq
> -----END PGP SIGNATURE-----
>
----- End forwarded message -----
--
CCNP, CCDP (R&S) Dmitri E. Kalintsev
CDPlayer@irc Network Architect @ connect.com.au
dek @ connect.com.au phone: +61 39 674 3913 fax: 251 3666
UIN:7150410 cell: +61 41 335 1634
=============================================================================
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
Archive is accessible on
