Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

Merit Joint Technical Staff

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Cisco IOS Interface Blocked by IPv4 Packets

  • From: Brian Cashman
  • Date: Sat Jul 19 11:21:02 2003

Many of you may be aware of the recent security advisory issued regarding IOS, Cisco's router and switch operating system software. Details of this advisory can be found at:

http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
http://www.cert.org/advisories/CA-2003-15.html

This message is to assure you that Merit is aware of the issue and is working to implement the appropriate fixes as quickly as possible.

The underlying issue is a vulnerability in the Cisco IOS that allows
certain, specially crafted sequences of packets to stop input interfaces
from processing traffic. Thus far, Merit has not experienced an exploit
and performance has not been affected in any way. However, we are
proactively working to protect MichNet from this vulnerability.

At this point, all of MichNet's border routers are protected, thus MichNet is not vulnerable to attacks from external networks. MichNet Operations is currently working to apply the Cisco-provided patch to all backbone equipment and expect to continue that effort throughout the weekend.

Once the backbone is secure, MichNet Operations will turn their attention to the approximately 350 access routers and switches used by our Members and Affiliates at their own locations. Obviously, correcting the vulnerability on such a large number of units will take time. MichNet Operations is currently analyzing the equipment inventory to determine how each model number and IOS version must be patched/upgraded to eliminate the vulnerability. Once analysis is complete, they will begin implementing the fix on a unit by unit basis. Most of the fixes will be applied remotely. However, some models may require upgrading to apply the appropriate patch. The appropriate site contact will be notified in these cases and the best solution determined for that location.

We will continue to keep you informed of our progress in eliminating this vulnerability.

Due to the pervasive nature of this vulnerability, network operators everywhere will be taking steps similar to the ones we're taking over the next few days to address this. As a result there may be instability or temporary unreachability on the network while these changes are made.

If you would like additional information regarding the advisory, an excerpt is attached below. As always, if you have any questions, feel free to contact me or your Support Team (http://www.merit.edu/merit/m&a.services.html).

Thanks,
Brian Cashman
Jennifer Wolf
Merit
_____________________________________________________________________

CISCO ADVISORY EXCERPT

Summary
=======

Cisco routers and switches running Cisco IOSŪ software and configured
to process Internet Protocol version 4 (IPv4) packets are vulnerable to
a Denial of Service (DoS) attack. A rare sequence of crafted IPv4
packets with specific protocol fields sent directly to the device may
cause the input interface to stop processing traffic once the input
queue is full. No authentication is required to process the inbound
packet. Processing of IPv4 packets is enabled by default. Devices
running only IP version 6 (IPv6) are not affected. A workaround is
available.


Affected Products
=================

This issue affects all Cisco devices running Cisco IOS software and
configured to process Internet Protocol version 4 (IPv4) packets. Cisco
devices which do not run Cisco IOS software are not affected. Devices
which run only Internet Protocol version 6 (IPv6) are not affected.










Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.