Monthly List Reminder
by noreply@apnic.net
Dear Subscriber,
This is the monthly reminder of subscription information for the
apops list, hosted at APNIC.
For subscription information including how to un-subscribe go to
http://mailman.apnic.net/mailman/listinfo/apops
Thank you for participating in this discussion.
Kind Regards,
List administrator
14 years, 3 months
- 1
- 0
Weekly Routing Table Report
by Routing Analysis Role Account
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.
Daily listings are sent to bgp-stats(a)lists.apnic.net
For historical data, please see http://thyme.apnic.net.
If you have any comments please contact Philip Smith <pfs(a)cisco.com>.
Routing Table Report 04:00 +10GMT Sat 29 Mar, 2008
Report Website: http://thyme.apnic.net
Detailed Analysis: http://thyme.apnic.net/current/
Analysis Summary
----------------
BGP routing table entries examined: 250362
Prefixes after maximum aggregation: 125916
Deaggregation factor: 1.99
Unique aggregates announced to Internet: 121576
Total ASes present in the Internet Routing Table: 27752
Prefixes per ASN: 9.02
Origin-only ASes present in the Internet Routing Table: 24169
Origin ASes announcing only one prefix: 11220
Transit ASes present in the Internet Routing Table: 3583
Transit-only ASes present in the Internet Routing Table: 76
Average AS path length visible in the Internet Routing Table: 3.6
Max AS path length visible: 18
Max AS path prepend of ASN (43380) 13
Prefixes from unregistered ASNs in the Routing Table: 25295
Unregistered ASNs in the Routing Table: 1915
Number of 32-bit ASNs allocated by the RIRs: 47
Prefixes from 32-bit ASNs in the Routing Table: 8
Special use prefixes present in the Routing Table: 0
Prefixes being announced from unallocated address space: 855
Number of addresses announced to Internet: 1851948960
Equivalent to 110 /8s, 98 /16s and 127 /24s
Percentage of available address space announced: 50.0
Percentage of allocated address space announced: 61.4
Percentage of available address space allocated: 81.4
Percentage of address space in use by end-sites: 71.0
Total number of prefixes smaller than registry allocations: 119223
APNIC Region Analysis Summary
-----------------------------
Prefixes being announced by APNIC Region ASes: 42339
Total APNIC prefixes after maximum aggregation: 13317
APNIC Deaggregation factor: 3.18
Prefixes being announced from the APNIC address blocks: 54523
Unique aggregates announced from the APNIC address blocks: 23244
APNIC Region origin ASes present in the Internet Routing Table: 1909
APNIC Prefixes per ASN: 28.56
APNIC Region origin ASes announcing only one prefix: 554
APNIC Region transit ASes present in the Internet Routing Table: 352
Average APNIC Region AS path length visible: 3.6
Max APNIC Region AS path length visible: 18
Number of APNIC addresses announced to Internet: 337576544
Equivalent to 20 /8s, 31 /16s and 2 /24s
Percentage of available APNIC address space announced: 77.4
APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079
APNIC Address Blocks 58/8, 59/8, 60/8, 61/8, 114/8, 115/8, 116/8,
117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8,
124/8, 125/8, 126/8, 202/8, 203/8, 210/8, 211/8,
218/8, 219/8, 220/8, 221/8, 222/8,
ARIN Region Analysis Summary
----------------------------
Prefixes being announced by ARIN Region ASes: 106733
Total ARIN prefixes after maximum aggregation: 58780
ARIN Deaggregation factor: 1.82
Prefixes being announced from the ARIN address blocks: 85545
Unique aggregates announced from the ARIN address blocks: 33880
ARIN Region origin ASes present in the Internet Routing Table: 11657
ARIN Prefixes per ASN: 7.34
ARIN Region origin ASes announcing only one prefix: 4528
ARIN Region transit ASes present in the Internet Routing Table: 1042
Average ARIN Region AS path length visible: 3.4
Max ARIN Region AS path length visible: 16
Number of ARIN addresses announced to Internet: 360984448
Equivalent to 21 /8s, 132 /16s and 47 /24s
Percentage of available ARIN address space announced: 74.2
ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106
(pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153
3354-4607, 4865-5119, 5632-6655, 6912-7466
7723-8191, 10240-12287, 13312-15359, 16384-17407
18432-20479, 21504-23551, 25600-26591,
26624-27647, 29696-30719, 31744-33791
35840-36863, 39936-40959
ARIN Address Blocks 24/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8,
69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8,
76/8, 96/8, 97/8, 98/8, 99/8, 173/8, 174/8,
199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8,
216/8,
RIPE Region Analysis Summary
----------------------------
Prefixes being announced by RIPE Region ASes: 53206
Total RIPE prefixes after maximum aggregation: 33043
RIPE Deaggregation factor: 1.61
Prefixes being announced from the RIPE address blocks: 48775
Unique aggregates announced from the RIPE address blocks: 32684
RIPE Region origin ASes present in the Internet Routing Table: 11085
RIPE Prefixes per ASN: 4.40
RIPE Region origin ASes announcing only one prefix: 5781
RIPE Region transit ASes present in the Internet Routing Table: 1703
Average RIPE Region AS path length visible: 4.0
Max RIPE Region AS path length visible: 18
Number of RIPE addresses announced to Internet: 350432384
Equivalent to 20 /8s, 227 /16s and 44 /24s
Percentage of available RIPE address space announced: 80.3
RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614
(pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631
6656-6911, 8192-9215, 12288-13311, 15360-16383
20480-21503, 24576-25599, 28672-29695
30720-31743, 33792-35839, 38912-39935
40960-45055
RIPE Address Blocks 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8,
83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8,
90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 193/8,
194/8, 195/8, 212/8, 213/8, 217/8,
LACNIC Region Analysis Summary
------------------------------
Prefixes being announced by LACNIC Region ASes: 19204
Total LACNIC prefixes after maximum aggregation: 4812
LACNIC Deaggregation factor: 3.99
Prefixes being announced from the LACNIC address blocks: 17548
Unique aggregates announced from the LACNIC address blocks: 9612
LACNIC Region origin ASes present in the Internet Routing Table: 883
LACNIC Prefixes per ASN: 19.87
LACNIC Region origin ASes announcing only one prefix: 277
LACNIC Region transit ASes present in the Internet Routing Table: 154
Average LACNIC Region AS path length visible: 4.0
Max LACNIC Region AS path length visible: 16
Number of LACNIC addresses announced to Internet: 49885696
Equivalent to 2 /8s, 249 /16s and 50 /24s
Percentage of available LACNIC address space announced: 49.6
LACNIC AS Blocks 26592-26623, 27648-28671, plus ERX transfers
LACNIC Address Blocks 186/8, 187/8, 189/8, 190/8, 200/8, 201/8,
AfriNIC Region Analysis Summary
-------------------------------
Prefixes being announced by AfriNIC Region ASes: 3584
Total AfriNIC prefixes after maximum aggregation: 1124
AfriNIC Deaggregation factor: 3.19
Prefixes being announced from the AfriNIC address blocks: 3987
Unique aggregates announced from the AfriNIC address blocks: 1808
AfriNIC Region origin ASes present in the Internet Routing Table: 234
AfriNIC Prefixes per ASN: 17.04
AfriNIC Region origin ASes announcing only one prefix: 80
AfriNIC Region transit ASes present in the Internet Routing Table: 45
Average AfriNIC Region AS path length visible: 3.8
Max AfriNIC Region AS path length visible: 14
Number of AfriNIC addresses announced to Internet: 10167552
Equivalent to 0 /8s, 155 /16s and 37 /24s
Percentage of available AfriNIC address space announced: 30.3
AfriNIC AS Blocks 36864-37887 & ERX transfers
AfriNIC Address Blocks 41/8, 196/8,
APNIC Region per AS prefix count summary
----------------------------------------
ASN No of nets /20 equiv MaxAgg Description
4755 1619 387 87 Videsh Sanchar Nigam Ltd. Aut
9583 1152 140 16 Sify Limited
9498 1129 550 63 BHARTI BT INTERNET LTD.
17488 1045 67 83 Hathway IP Over Cable Interne
4134 859 12487 319 CHINANET-BACKBONE
4766 850 6005 341 Korea Telecom (KIX)
18101 673 126 52 Reliance Infocom Ltd Internet
9829 586 450 12 BSNL National Internet Backbo
4812 562 969 92 China Telecom (Shanghai)
1221 542 1950 418 Telstra Pty Ltd
Complete listing at http://thyme.apnic.net/current/data-ASnet-APNIC
ARIN Region per AS prefix count summary
---------------------------------------
ASN No of nets /20 equiv MaxAgg Description
7018 1427 5927 1009 AT&T WorldNet Services
2386 1399 658 851 AT&T Data Communications Serv
4323 1396 1028 368 Time Warner Telecom
11492 1219 147 23 Cable One
7011 1082 315 615 Citizens Utilities
18566 1046 296 10 Covad Communications
1785 1007 479 107 AppliedTheory Corporation
6197 989 728 477 BellSouth Network Solutions,
174 966 6834 812 Cogent Communications
20115 915 859 508 Charter Communications
Complete listing at http://thyme.apnic.net/current/data-ASnet-ARIN
RIPE Region per AS prefix count summary
---------------------------------------
ASN No of nets /20 equiv MaxAgg Description
3292 398 1777 362 TDC Tele Danmark
8452 358 188 7 TEDATA
3301 341 1459 310 TeliaNet Sweden
3320 322 7045 267 Deutsche Telekom AG
8866 293 78 24 Bulgarian Telecommunication C
5462 292 666 26 Telewest Broadband
3215 278 2671 91 France Telecom Transpac
6746 264 127 242 Dynamic Network Technologies,
680 259 2046 258 DFN-IP service G-WiN
9155 254 46 11 QualityNet AS number
Complete listing at http://thyme.apnic.net/current/data-ASnet-RIPE
LACNIC Region per AS prefix count summary
-----------------------------------------
ASN No of nets /20 equiv MaxAgg Description
8151 1187 2448 222 UniNet S.A. de C.V.
11830 555 299 9 Instituto Costarricense de El
7303 452 220 60 Telecom Argentina Stet-France
16814 426 27 10 NSS, S.A.
11172 410 117 69 Servicios Alestra S.A de C.V
6471 396 85 39 ENTEL CHILE S.A.
10620 396 104 50 TVCABLE BOGOTA
14117 352 25 15 Telefonica del Sur S.A.
22047 322 270 14 VTR PUNTO NET S.A.
10481 310 152 10 Prima S.A.
Complete listing at http://thyme.apnic.net/current/data-ASnet-LACNIC
AfriNIC Region per AS prefix count summary
------------------------------------------
ASN No of nets /20 equiv MaxAgg Description
24863 452 60 27 LINKdotNET AS number
3741 287 869 223 The Internet Solution
2018 258 276 112 Tertiary Education Network
20858 183 34 3 EgyNet
6713 143 135 11 Itissalat Al-MAGHRIB
33783 130 9 16 EEPAD TISP TELECOM & INTERNET
5536 121 8 16 Internet Egypt Network
33776 99 6 7 Starcomms Nigeria Limited
24835 89 48 7 RAYA Telecom - Egypt
2905 83 176 74 The Internetworking Company o
Complete listing at http://thyme.apnic.net/current/data-ASnet-AFRINIC
Global Per AS prefix count summary
----------------------------------
ASN No of nets /20 equiv MaxAgg Description
6389 1914 3009 94 bellsouth.net, inc.
23577 1634 34 699 Korea Telecom (ATM-MPLS)
4755 1619 387 87 Videsh Sanchar Nigam Ltd. Aut
7018 1427 5927 1009 AT&T WorldNet Services
2386 1399 658 851 AT&T Data Communications Serv
4323 1396 1028 368 Time Warner Telecom
11492 1219 147 23 Cable One
8151 1187 2448 222 UniNet S.A. de C.V.
9583 1152 140 16 Sify Limited
9498 1129 550 63 BHARTI BT INTERNET LTD.
Complete listing at http://thyme.apnic.net/current/data-ASnet
Global Per AS Maximum Aggr summary
----------------------------------
ASN No of nets Net Savings Description
4755 1619 1532 Videsh Sanchar Nigam Ltd. Aut
11492 1219 1196 Cable One
9583 1152 1136 Sify Limited
9498 1129 1066 BHARTI BT INTERNET LTD.
18566 1046 1036 Covad Communications
4323 1396 1028 Time Warner Telecom
8151 1187 965 UniNet S.A. de C.V.
17488 1045 962 Hathway IP Over Cable Interne
17676 1018 952 Softbank BB Corp.
23577 1634 935 Korea Telecom (ATM-MPLS)
Complete listing at http://thyme.apnic.net/current/data-CIDRnet
List of Unregistered Origin ASNs (Global)
-----------------------------------------
Bad AS Designation Network Transit AS Description
14780 UNALLOCATED 4.79.181.0/24 10310 Yahoo!
12180 UNALLOCATED 4.79.248.0/24 1239 Sprint
26478 UNALLOCATED 8.7.228.0/24 6461 AboveNet Communicati
12180 UNALLOCATED 8.10.16.0/24 3549 Global Crossing
12180 UNALLOCATED 8.10.58.0/23 3549 Global Crossing
14779 UNALLOCATED 8.12.144.0/24 10310 Yahoo!
16927 UNALLOCATED 12.0.252.0/23 7018 AT&T WorldNet Servic
22492 UNALLOCATED 12.2.46.0/24 1239 Sprint
14984 UNALLOCATED 12.2.192.0/24 7132 SBC Internet Service
15132 UNALLOCATED 12.9.150.0/24 701 UUNET Technologies,
Complete listing at http://thyme.apnic.net/current/data-badAS
Advertised Unallocated Addresses
--------------------------------
Network Origin AS Description
24.51.159.0/24 7843 Adelphia Corp.
24.54.224.0/19 20001 HoldCo LLC - Road Runner
24.75.160.0/19 7843 Adelphia Corp.
24.75.192.0/18 7843 Adelphia Corp.
24.142.40.0/21 7018 AT&T WorldNet Services
24.142.160.0/19 7018 AT&T WorldNet Services
24.246.0.0/17 7018 AT&T WorldNet Services
24.246.128.0/18 7018 AT&T WorldNet Services
62.61.220.0/24 24974 Tachyon Europe BV - Wireless
63.140.213.0/24 22555 Universal Talkware Corporatio
Complete listing at http://thyme.apnic.net/current/data-add-IANA
Number of prefixes announced per prefix length (Global)
-------------------------------------------------------
/1:0 /2:0 /3:0 /4:0 /5:0 /6:0
/7:0 /8:19 /9:9 /10:16 /11:41 /12:137
/13:277 /14:499 /15:997 /16:9813 /17:4312 /18:7285
/19:15269 /20:17525 /21:16771 /22:21294 /23:22327 /24:131495
/25:775 /26:894 /27:483 /28:106 /29:9 /30:1
/31:0 /32:8
Advertised prefixes smaller than registry allocations
-----------------------------------------------------
ASN No of nets Total ann. Description
11492 1205 1219 Cable One
2386 1099 1399 AT&T Data Communications Serv
18566 1027 1046 Covad Communications
9583 987 1152 Sify Limited
7011 964 1082 Citizens Utilities
4755 962 1619 Videsh Sanchar Nigam Ltd. Aut
6478 893 894 AT&T Worldnet Services
17488 860 1045 Hathway IP Over Cable Interne
23577 808 1634 Korea Telecom (ATM-MPLS)
9498 804 1129 BHARTI BT INTERNET LTD.
Complete listing at http://thyme.apnic.net/current/data/sXXas-nos
Number of /24s announced per /8 block (Global)
----------------------------------------------
4:9 8:102 12:1998 13:1 15:20 16:3
17:6 18:13 20:35 24:1046 25:1 32:60
33:4 38:407 40:95 41:634 44:2 47:8
52:3 55:3 56:3 57:22 58:513 59:423
60:423 61:987 62:1087 63:1957 64:3360 65:2370
66:3607 67:1092 68:654 69:2110 70:541 71:127
72:1540 73:6 74:899 75:221 76:284 77:617
78:543 79:111 80:892 81:831 82:607 83:370
84:522 85:943 86:388 87:628 88:322 89:1207
90:11 91:1126 92:238 93:166 96:19 97:16
98:108 99:3 116:582 117:280 118:102 119:380
121:465 122:719 123:303 124:834 125:1125 128:325
129:198 130:124 131:405 132:69 133:9 134:188
135:32 136:222 137:119 138:155 139:65 140:483
141:110 142:380 143:279 144:347 145:54 146:338
147:133 148:496 149:180 150:121 151:159 152:142
153:127 154:11 155:266 156:207 157:254 158:167
159:223 160:245 161:110 162:206 163:219 164:572
165:433 166:296 167:314 168:594 169:130 170:426
171:28 172:3 189:165 190:1582 192:5769 193:4089
194:3259 195:2379 196:1075 198:3761 199:3235 200:5519
201:1322 202:7543 203:7774 204:3986 205:2111 206:2413
207:2721 208:3223 209:3472 210:2525 211:1033 212:1326
213:1610 214:453 215:48 216:4278 217:1197 218:349
219:404 220:1062 221:402 222:312
End of report
14 years, 3 months
- 1
- 0
BGP Update Report
by cidr-report@potaroo.net
BGP Update Report
Interval: 25-Feb-08 -to- 27-Mar-08 (32 days)
Observation Point: BGP Peering with AS2.0
TOP 20 Unstable Origin AS
Rank ASN Upds % Upds/Pfx AS-Name
1 - AS9498 119461 1.8% 94.6 -- BBIL-AP BHARTI BT INTERNET LTD.
2 - AS24731 76983 1.2% 916.5 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA)
3 - AS9121 58711 0.9% 23.2 -- TTNET TTnet Autonomous System
4 - AS4795 58375 0.9% 263.0 -- INDOSAT2-ID INDOSATM2 ASN
5 - AS17974 57498 0.9% 85.9 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia
6 - AS9583 53390 0.8% 45.7 -- SIFY-AS-IN Sify Limited
7 - AS8151 48530 0.7% 40.4 -- Uninet S.A. de C.V.
8 - AS26829 42684 0.6% 42684.0 -- YKK-USA - YKK USA,INC
9 - AS18306 42224 0.6% 1141.2 -- MASANHANANET-AS-KR HANANET
10 - AS14895 36884 0.6% 12294.7 -- LAWSON-SOFTWARE - Lawson Software
11 - AS9829 33380 0.5% 55.8 -- BSNL-NIB National Internet Backbone
12 - AS6140 32406 0.5% 47.0 -- IMPSAT-USA - ImpSat USA, Inc.
13 - AS24863 32157 0.5% 70.7 -- LINKdotNET-AS
14 - AS11830 32075 0.5% 13.8 -- Instituto Costarricense de Electricidad y Telecom.
15 - AS22773 31655 0.5% 34.7 -- CCINET-2 - Cox Communications Inc.
16 - AS2386 28515 0.4% 20.0 -- INS-AS - AT&T Data Communications Services
17 - AS1239 27883 0.4% 7.3 -- SPRINTLINK - Sprint
18 - AS23005 27262 0.4% 1817.5 -- SWITCH-COMMUNICATIONS - SWITCH Communications Group LLC
19 - AS10481 24866 0.4% 29.2 -- Prima S.A.
20 - AS9198 24217 0.4% 65.3 -- KAZTELECOM-AS Kazakhtelecom Corporate Sales Administration
TOP 20 Unstable Origin AS (Updates per announced prefix)
Rank ASN Upds % Upds/Pfx AS-Name
1 - AS26829 42684 0.6% 42684.0 -- YKK-USA - YKK USA,INC
2 - AS19334 23016 0.3% 23016.0 -- SPORTLINE-DBC - SPORTLINE
3 - AS17487 20997 0.3% 20997.0 -- ICBCASIA-AP Industrial and Commercial Bank
4 - AS13495 20642 0.3% 20642.0 -- NTT do Brasil Telecomunicaoes Ltda
5 - AS21291 15011 0.2% 15011.0 -- OMEGABANK 8 Dragatsaniou str
6 - AS42787 13141 0.2% 13141.0 -- MMIP-AS MultiMedia IP Ltd.
7 - AS14895 36884 0.6% 12294.7 -- LAWSON-SOFTWARE - Lawson Software
8 - AS30929 7785 0.1% 7785.0 -- HUTCB Hidrotechnical Faculty - Technical University
9 - AS41907 6576 0.1% 6576.0 -- POLFA PZPF Polfa
10 - AS29225 6568 0.1% 6568.0 -- TAIF-TELCOM-AS JSC TAIF-TELCOM
11 - AS19017 3421 0.1% 3421.0 -- QUALCOMM-QWBS-LV - Qualcomm Wireless Business Solutions
12 - AS15136 3186 0.1% 3186.0 -- AS-NSPOF - NSPOF Communications Inc
13 - AS36975 3059 0.1% 3059.0 -- CBA-AS
14 - AS44656 2652 0.0% 2652.0 -- HOLOSFIND-ROMANIA HOLOSFIND SRL
15 - AS29910 2188 0.0% 2188.0 -- IACP - INTL. ASSN OF CHIEF OF POLICEI
16 - AS40011 2091 0.0% 2091.0 -- 65-79-192-0-SYNIVERSE-CRX - Panhandle Telecommunications Systems, INC.
17 - AS9747 18616 0.3% 2068.4 -- EZINTERNET-AS-AP EZInternet Pty Ltd
18 - AS35324 1868 0.0% 1868.0 -- ECH-WILL-AS E.C.H. Will
19 - AS23005 27262 0.4% 1817.5 -- SWITCH-COMMUNICATIONS - SWITCH Communications Group LLC
20 - AS23484 12566 0.2% 1795.1 -- PACENET - Pace University
TOP 20 Unstable Prefixes
Rank Prefix Upds % Origin AS -- AS Name
1 - 125.23.208.0/20 44476 0.6% AS9498 -- BBIL-AP BHARTI BT INTERNET LTD.
2 - 12.108.254.0/24 42684 0.6% AS26829 -- YKK-USA - YKK USA,INC
3 - 203.101.87.0/24 35927 0.5% AS9498 -- BBIL-AP BHARTI BT INTERNET LTD.
4 - 202.140.63.0/24 29830 0.4% AS17443 -- ESTELCOM-AP International Internet gateway , India
AS9498 -- BBIL-AP BHARTI BT INTERNET LTD.
5 - 64.79.128.0/19 27150 0.4% AS23005 -- SWITCH-COMMUNICATIONS - SWITCH Communications Group LLC
6 - 63.169.11.0/24 23016 0.3% AS19334 -- SPORTLINE-DBC - SPORTLINE
7 - 125.57.60.0/24 21655 0.3% AS18306 -- MASANHANANET-AS-KR HANANET
8 - 220.241.83.0/24 20997 0.3% AS17487 -- ICBCASIA-AP Industrial and Commercial Bank
9 - 200.194.64.0/19 20642 0.3% AS13495 -- NTT do Brasil Telecomunicaoes Ltda
10 - 211.175.148.0/24 19452 0.3% AS18306 -- MASANHANANET-AS-KR HANANET
11 - 203.63.26.0/24 18492 0.3% AS9747 -- EZINTERNET-AS-AP EZInternet Pty Ltd
12 - 124.7.244.0/24 18414 0.3% AS9583 -- SIFY-AS-IN Sify Limited
13 - 221.128.192.0/18 16449 0.2% AS18231 -- EXATT-AS-AP Exatt Technologies Private Ltd.
14 - 89.4.131.0/24 16287 0.2% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA)
15 - 89.4.130.0/24 16179 0.2% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA)
16 - 89.4.128.0/24 15684 0.2% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA)
17 - 80.243.64.0/20 15607 0.2% AS21332 -- NTC-AS New Telephone Company
18 - 193.109.213.0/24 15011 0.2% AS21291 -- OMEGABANK 8 Dragatsaniou str
19 - 213.91.175.0/24 14475 0.2% AS8866 -- BTC-AS Bulgarian Telecommunication Company Plc.
20 - 193.33.184.0/23 13141 0.2% AS42787 -- MMIP-AS MultiMedia IP Ltd.
Details at http://bgpupdates.potaroo.net
------------------------------------
Copies of this report are mailed to:
nanog(a)merit.edu
eof-list(a)ripe.net
apops(a)apops.net
routing-wg(a)ripe.net
afnog(a)afnog.org
14 years, 3 months
- 1
- 0
The Cidr Report
by cidr-report@potaroo.net
This report has been generated at Fri Mar 28 21:14:33 2008 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org for a current version of this report.
Recent Table History
Date Prefixes CIDR Agg
21-03-08 261084 164253
22-03-08 259085 164458
23-03-08 259042 164446
24-03-08 259084 164765
25-03-08 259298 165409
26-03-08 259348 166083
27-03-08 259811 160215
28-03-08 254550 160603
AS Summary
27845 Number of ASes in routing system
11714 Number of ASes announcing only one prefix
1619 Largest number of prefixes announced by an AS
AS4755 : VSNL-AS Videsh Sanchar Nigam Ltd. Autonomous System
88497920 Largest address span announced by an AS (/32s)
AS721 : DISA-ASNBLK - DoD Network Information Center
Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').
--- 28Mar08 ---
ASnum NetsNow NetsAggr NetGain % Gain Description
Table 254764 160681 94083 36.9% All ASes
AS9498 1129 71 1058 93.7% BBIL-AP BHARTI BT INTERNET
LTD.
AS4323 1391 384 1007 72.4% TWTC - Time Warner Telecom,
Inc.
AS4755 1619 612 1007 62.2% VSNL-AS Videsh Sanchar Nigam
Ltd. Autonomous System
AS22773 911 101 810 88.9% CCINET-2 - Cox Communications
Inc.
AS1785 1007 198 809 80.3% AS-PAETEC-NET - PaeTec
Communications, Inc.
AS18566 1046 245 801 76.6% COVAD - Covad Communications
Co.
AS11492 1218 455 763 62.6% CABLEONE - CABLE ONE
AS17488 1044 293 751 71.9% HATHWAY-NET-AP Hathway IP Over
Cable Internet
AS6389 958 259 699 73.0% BELLSOUTH-NET-BLK -
BellSouth.net Inc.
AS8151 1188 514 674 56.7% Uninet S.A. de C.V.
AS18101 673 67 606 90.0% RIL-IDC Reliance Infocom Ltd
Internet Data Centre,
AS6478 894 339 555 62.1% ATT-INTERNET3 - AT&T WorldNet
Services
AS2386 1403 868 535 38.1% INS-AS - AT&T Data
Communications Services
AS4134 859 375 484 56.3% CHINANET-BACKBONE
No.31,Jin-rong Street
AS6197 988 511 477 48.3% BATI-ATL - BellSouth Network
Solutions, Inc
AS4812 562 103 459 81.7% CHINANET-SH-AP China Telecom
(Group)
AS19916 555 99 456 82.2% ASTRUM-0001 - OLM LLC
AS4766 851 398 453 53.2% KIXS-AS-KR Korea Telecom
AS855 564 115 449 79.6% CANET-ASN-4 - Bell Aliant
AS7011 1082 637 445 41.1% FRONTIER-AND-CITIZENS -
Frontier Communications of
America, Inc.
AS17676 509 66 443 87.0% GIGAINFRA BB TECHNOLOGY Corp.
AS8103 555 113 442 79.6% STATE-OF-FLA - Florida
Department of Management
Services - Technology Program
AS7018 1449 1025 424 29.3% ATT-INTERNET4 - AT&T WorldNet
Services
AS3356 830 416 414 49.9% LEVEL3 Level 3 Communications
AS6198 688 299 389 56.5% BATI-MIA - BellSouth Network
Solutions, Inc
AS19262 892 509 383 42.9% VZGNI-TRANSIT - Verizon
Internet Services Inc.
AS5668 678 299 379 55.9% AS-5668 - CenturyTel Internet
Holdings, Inc.
AS6140 607 229 378 62.3% IMPSAT-USA - ImpSat USA, Inc.
AS9443 453 77 376 83.0% INTERNETPRIMUS-AS-AP Primus
Telecommunications
AS3602 453 80 373 82.3% AS3602-RTI - Rogers Telecom
Inc.
Total 27056 9757 17299 63.9% Top 30 total
Possible Bogus Routes
24.38.0.0/17 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
24.48.0.0/13 AS19548 ADELPHIA-AS2 - Road Runner HoldCo LLC
24.51.159.0/24 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
24.54.224.0/19 AS20001 ROADRUNNER-WEST - Road Runner HoldCo LLC
24.75.160.0/19 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
24.75.192.0/18 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
24.142.40.0/21 AS7018 ATT-INTERNET4 - AT&T WorldNet Services
24.142.160.0/19 AS7018 ATT-INTERNET4 - AT&T WorldNet Services
24.246.0.0/17 AS7018 ATT-INTERNET4 - AT&T WorldNet Services
24.246.128.0/18 AS7018 ATT-INTERNET4 - AT&T WorldNet Services
62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV - Wireless Broadband via Satellite
63.140.213.0/24 AS22555 UTC - Universal Talkware Corporation
63.141.42.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
63.143.71.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
63.143.115.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
63.248.0.0/16 AS3356 LEVEL3 Level 3 Communications
64.5.64.0/22 AS7228 MCLEOD - McLeod, Inc.
64.5.68.0/24 AS7228 MCLEOD - McLeod, Inc.
64.5.69.0/24 AS7228 MCLEOD - McLeod, Inc.
64.5.70.0/23 AS7228 MCLEOD - McLeod, Inc.
64.5.72.0/24 AS7228 MCLEOD - McLeod, Inc.
64.5.73.0/24 AS7228 MCLEOD - McLeod, Inc.
64.5.74.0/23 AS7228 MCLEOD - McLeod, Inc.
64.5.76.0/22 AS7228 MCLEOD - McLeod, Inc.
64.5.80.0/20 AS7228 MCLEOD - McLeod, Inc.
64.5.96.0/22 AS7228 MCLEOD - McLeod, Inc.
64.5.100.0/23 AS7228 MCLEOD - McLeod, Inc.
64.5.102.0/24 AS7228 MCLEOD - McLeod, Inc.
64.5.103.0/24 AS7228 MCLEOD - McLeod, Inc.
64.5.104.0/21 AS7228 MCLEOD - McLeod, Inc.
64.5.112.0/20 AS7228 MCLEOD - McLeod, Inc.
64.7.112.0/21 AS6453 GLOBEINTERNET Teleglobe America Inc.
64.7.120.0/21 AS6453 GLOBEINTERNET Teleglobe America Inc.
64.50.128.0/18 AS4565 MEGAPATH2-US - MegaPath Networks Inc.
64.64.159.0/24 AS32004 BIG-ASN - Business Information Group, Inc.
64.144.0.0/15 AS4565 MEGAPATH2-US - MegaPath Networks Inc.
64.188.0.0/16 AS3356 LEVEL3 Level 3 Communications
65.36.8.0/24 AS5696
65.36.9.0/24 AS5696
65.36.33.0/24 AS5696
65.36.52.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
66.6.34.0/24 AS14935 MONTICELLO - Monticello Networks, Inc.
66.11.32.0/20 AS6261 VISINET - Visionary Systems, Inc.
66.11.40.0/21 AS6261 VISINET - Visionary Systems, Inc.
66.54.91.0/24 AS30506 BLACKSUN-1 - Blacksun Technologies LLC
66.55.160.0/19 AS29994
66.64.96.0/20 AS3790 RADIGRAFICA COSTARRICENSE
66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION
66.199.32.0/20 AS10397 WISP-AS - Wispnet, LLC
66.206.32.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board
66.206.33.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board
66.206.34.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board
66.206.35.0/24 AS17787 PSEB-AS-PK Pakistan Software Export Board
66.206.40.0/22 AS174 COGENT Cogent/PSI
66.206.44.0/23 AS174 COGENT Cogent/PSI
66.206.47.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom
66.207.32.0/20 AS23011
66.219.192.0/18 AS5048 FIBER - FIBERNET Corp.
67.20.0.0/14 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
67.22.64.0/21 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
68.64.0.0/13 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
68.64.58.0/24 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
68.67.124.0/22 AS19548 ADELPHIA-AS2 - Road Runner HoldCo LLC
68.168.0.0/14 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
68.232.0.0/14 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
69.71.192.0/20 AS13818 PHX-INTL-TELEPORT - Phoenix International Teleport
69.80.0.0/17 AS3043 AMPHIB-AS - Amphibian Media Corporation
69.160.0.0/12 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
69.167.176.0/20 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
69.169.0.0/17 AS20001 ROADRUNNER-WEST - Road Runner HoldCo LLC
70.32.0.0/13 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
70.36.0.0/20 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
70.37.212.0/22 AS7843 ADELPHIA-AS - Road Runner HoldCo LLC
70.38.0.0/16 AS19548 ADELPHIA-AS2 - Road Runner HoldCo LLC
70.40.0.0/16 AS19548 ADELPHIA-AS2 - Road Runner HoldCo LLC
80.88.0.0/21 AS33774 DJAWEB
80.88.8.0/22 AS33774 DJAWEB
80.88.10.0/24 AS33774 DJAWEB
80.88.11.0/24 AS33774 DJAWEB
80.88.12.0/24 AS33779 wataniya-telecom-as
93.88.240.0/20 AS29222 INFOMANIAK-AS Infomaniak Network SA
95.192.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project
95.255.248.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project
137.0.0.0/13 AS721 DISA-ASNBLK - DoD Network Information Center
151.135.0.0/16 AS4768 CLIX-NZ TelstraClear Ltd
159.3.211.0/24 AS2687 ASATTCA AT&T Global Network Services - AP
163.142.0.0/16 AS2500 WIDE-BB WIDE Project
166.63.0.0/16 AS33775 NITEL-AS
172.10.1.0/30 AS18305 POSNET POSDATA Co.,Ltd
192.9.200.0/24 AS3602 AS3602-RTI - Rogers Telecom Inc.
192.30.93.0/24 AS17757 HPAUS-AP HP Australia
192.30.94.0/24 AS17757 HPAUS-AP HP Australia
192.40.105.0/24 AS12582 TSF-DATANET-NGD-AS TSF MPLS VPN Services
192.69.107.0/24 AS5515 TS-FINLAND-DATANET-OLD TS Finland DataNet
192.69.108.0/24 AS5515 TS-FINLAND-DATANET-OLD TS Finland DataNet
192.69.177.0/24 AS5515 TS-FINLAND-DATANET-OLD TS Finland DataNet
192.70.164.0/24 AS25689 NRCNET-AS - National Research Council of Canada
192.96.36.0/24 AS5713 SAIX-NET
192.96.37.0/24 AS10474 NETACTIVE
192.96.135.0/24 AS2018 TENET-1
192.96.136.0/23 AS2018 TENET-1
192.96.143.0/24 AS2018 TENET-1
192.96.145.0/24 AS2018 TENET-1
192.96.177.0/24 AS6083 POSIX-AFRICA
192.101.45.0/24 AS2905 TICSA-ASN
192.101.46.0/24 AS6503 Avantel, S.A.
192.101.47.0/24 AS6503 Avantel, S.A.
192.101.64.0/21 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe
192.101.67.0/24 AS21775
192.101.70.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
192.101.71.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
192.101.72.0/24 AS702 AS702 Verizon Business EMEA - Commercial IP service provider in Europe
192.101.73.0/24 AS4765 WORLDNET-AS World Net & Services Co., Ltd.
192.101.74.0/24 AS1239 SPRINTLINK - Sprint
192.122.212.0/24 AS209 ASN-QWEST - Qwest
192.124.252.0/22 AS680 DFN-IP Service G-WiN
192.131.233.0/24 AS7891 BELLSOUTH-NET-BLK2 - Bellsouth.Net
192.133.6.0/24 AS10282 EQUANT-CEEUR EQUANT AS for Central and Eastern Europe region
192.145.251.0/24 AS10026 ANC Asia Netcom Corporation
192.153.144.0/21 AS721 DISA-ASNBLK - DoD Network Information Center
192.188.208.0/20 AS721 DISA-ASNBLK - DoD Network Information Center
193.200.114.0/23 AS31530 SERVERCREW-AS Servercrew LTD Autonomes System
194.31.227.0/24 AS21461 TRANSFAIRNET Transfair-net GmbH Krefeld
194.246.72.0/23 AS8893 ARTFILES-AS Artfiles New Media GmbH
196.6.108.0/24 AS5713 SAIX-NET
196.10.119.0/24 AS2018 TENET-1
196.10.122.0/23 AS2018 TENET-1
196.10.251.0/24 AS2018 TENET-1
196.10.252.0/23 AS2018 TENET-1
196.10.254.0/24 AS2018 TENET-1
196.13.101.0/24 AS2018 TENET-1
196.13.102.0/23 AS2018 TENET-1
196.13.104.0/24 AS2018 TENET-1
196.13.121.0/24 AS2018 TENET-1
196.13.125.0/24 AS2018 TENET-1
196.13.126.0/24 AS2018 TENET-1
196.13.169.0/24 AS2018 TENET-1
196.13.174.0/23 AS2018 TENET-1
196.13.176.0/21 AS2018 TENET-1
196.13.192.0/22 AS2018 TENET-1
196.13.196.0/24 AS2018 TENET-1
196.216.132.0/24 AS9207 AS9207 Taide - Kenya POP
196.216.134.0/24 AS9207 AS9207 Taide - Kenya POP
198.23.26.0/24 AS4390 BELLATLANTIC-COM - Bell Atlantic, Inc.
198.54.82.0/24 AS2018 TENET-1
198.54.92.0/24 AS2018 TENET-1
198.54.222.0/24 AS2018 TENET-1
198.97.72.0/21 AS721 DISA-ASNBLK - DoD Network Information Center
198.97.80.0/20 AS721 DISA-ASNBLK - DoD Network Information Center
198.97.96.0/19 AS721 DISA-ASNBLK - DoD Network Information Center
198.97.240.0/20 AS721 DISA-ASNBLK - DoD Network Information Center
198.144.96.0/20 AS12185
198.161.87.0/24 AS6539 GT-BELL - Bell Canada
198.167.0.0/16 AS7456 INTERHOP - Interhop Network SERVICES Inc.
198.168.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
198.169.0.0/16 AS803 SASKTEL - SaskTel
198.180.198.0/24 AS23715 SEOUL-INTGW-GXS-AP Global Exchange Services
199.9.128.0/17 AS668 ASN-ASNET-NET-AS - Defense Research and Engineering Network
199.10.0.0/16 AS721 DISA-ASNBLK - DoD Network Information Center
199.114.0.0/21 AS721 DISA-ASNBLK - DoD Network Information Center
199.114.128.0/18 AS721 DISA-ASNBLK - DoD Network Information Center
199.114.130.0/24 AS6045 DDN-ASNBLK - DoD Network Information Center
199.114.131.0/24 AS6045 DDN-ASNBLK - DoD Network Information Center
199.114.132.0/24 AS6045 DDN-ASNBLK - DoD Network Information Center
199.114.134.0/24 AS3541 ITSDN-U4 - DoD Network Information Center
199.114.136.0/24 AS27044 DDN-ASNBLK1 - DoD Network Information Center
199.114.138.0/24 AS6045 DDN-ASNBLK - DoD Network Information Center
199.114.140.0/24 AS3544 ITSDN-U7 - DoD Network Information Center
199.114.142.0/24 AS6045 DDN-ASNBLK - DoD Network Information Center
199.114.144.0/24 AS6045 DDN-ASNBLK - DoD Network Information Center
199.114.148.0/24 AS6045 DDN-ASNBLK - DoD Network Information Center
199.114.150.0/24 AS6045 DDN-ASNBLK - DoD Network Information Center
199.114.152.0/24 AS27033 DDN-ASNBLK1 - DoD Network Information Center
199.114.153.0/24 AS27034 DDN-ASNBLK1 - DoD Network Information Center
199.114.154.0/24 AS1733 CENTAF-SWA - AF DDN PMO
199.114.156.0/24 AS1733 CENTAF-SWA - AF DDN PMO
199.114.160.0/24 AS1733 CENTAF-SWA - AF DDN PMO
199.121.0.0/16 AS721 DISA-ASNBLK - DoD Network Information Center
199.123.0.0/18 AS721 DISA-ASNBLK - DoD Network Information Center
199.123.16.0/20 AS721 DISA-ASNBLK - DoD Network Information Center
199.123.80.0/21 AS721 DISA-ASNBLK - DoD Network Information Center
199.189.32.0/19 AS7332 IQUEST-AS - IQuest Internet
199.202.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
199.246.116.0/24 AS813 UUNET-CANADA - MCI Communications Services, Inc. d/b/a Verizon Business
202.45.132.0/22 AS24314
202.58.113.0/24 AS19161 INNOCOM-TELECOM - INNOCOM TELECOM
202.73.144.0/20 AS4788 TMNET-AS-AP TM Net, Internet Service Provider
202.86.252.0/22 AS4748 RESOLINK-AS-AP Resources Link Network Limited
202.86.253.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications
202.86.254.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications
202.86.255.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications
202.90.33.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS
202.90.40.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS
202.90.41.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS
202.90.42.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS
202.90.43.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS
202.90.44.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS
202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
202.94.70.0/24 AS9837 POWERTEL-AP Powertel Ltd
202.124.195.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom
202.124.207.0/24 AS17911 BRAINPK-AS-AP Brain Telecommunication Ltd.
202.136.254.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
202.136.255.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
202.164.100.0/24 AS18101 RIL-IDC Reliance Infocom Ltd Internet Data Centre,
202.181.32.0/24 AS4645 ASN-HKNET-AP HKNet Co. Ltd
203.2.128.0/17 AS17175 NSS-UK New Skies Satellites UK AS
203.12.45.0/24 AS4854 NETSPACE-AS-AP Netspace Online Systems
203.62.0.0/17 AS7575 AARNET-AS-AP Australian Academic and Reasearch Network (AARNet)
203.78.48.0/20 AS9299 IPG-AS-AP Philippine Long Distance Telephone Company
203.89.139.0/24 AS17911 BRAINPK-AS-AP Brain Telecommunication Ltd.
203.111.192.0/20 AS7473 SINGTEL-AS-AP Singapore Telecom
203.112.97.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia
203.112.111.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd
203.112.113.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd
203.112.114.0/24 AS4802 ASN-IINET iiNet Limited
203.112.116.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd
203.112.117.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd
203.112.118.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd
203.112.119.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd
203.112.120.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd
203.112.121.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd
203.112.127.0/24 AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd
203.128.128.0/19 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street
203.128.128.0/24 AS23849 CNNIC-NET263-AP Beijing Capital-online science development Co.,Ltd.
203.152.136.0/23 AS23649 NEWSKIES-AS-AP New Skies Satellites, Hong Kong Teleport
203.152.138.0/23 AS23649 NEWSKIES-AS-AP New Skies Satellites, Hong Kong Teleport
203.152.142.0/24 AS23649 NEWSKIES-AS-AP New Skies Satellites, Hong Kong Teleport
203.152.143.0/24 AS23649 NEWSKIES-AS-AP New Skies Satellites, Hong Kong Teleport
203.160.110.0/23 AS7643 VNN-AS-AP Vietnam Posts and Telecommunications (VNPT)
204.9.216.0/23 AS7893 BELLSOUTH-NET-BLK2 - Bellsouth.Net
204.9.217.0/24 AS4323 TWTC - Time Warner Telecom, Inc.
204.9.218.0/23 AS7893 BELLSOUTH-NET-BLK2 - Bellsouth.Net
204.13.140.0/22 AS7270 NET2PHONE - Net2Phone Corp.
204.16.120.0/23 AS12077
204.16.122.0/23 AS12077
204.19.14.0/23 AS577 BACOM - Bell Canada
204.29.196.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services
204.29.197.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services
204.48.58.0/24 AS4323 TWTC - Time Warner Telecom, Inc.
204.48.60.0/24 AS4323 TWTC - Time Warner Telecom, Inc.
204.154.125.0/24 AS3952 TELLABS-ASN - TELLABS Operations, Inc.
204.154.126.0/24 AS3952 TELLABS-ASN - TELLABS Operations, Inc.
204.154.127.0/24 AS3952 TELLABS-ASN - TELLABS Operations, Inc.
205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
206.28.176.0/21 AS1273 CW Cable and Wireless plc
206.162.224.0/19 AS23464 ILCSNET - Interlink Computer Services
206.180.240.0/20 AS12083 KNOLOGY-NET - Knology Holdings
206.220.240.0/24 AS10764 STARTAP - National Center for Supercomputing Applications
206.220.240.64/26 AS22335 MREN - Metropolitan Research and Education Network
206.220.240.128/25 AS10764 STARTAP - National Center for Supercomputing Applications
206.220.240.160/30 AS10764 STARTAP - National Center for Supercomputing Applications
206.220.240.220/32 AS10764 STARTAP - National Center for Supercomputing Applications
206.220.241.0/24 AS10764 STARTAP - National Center for Supercomputing Applications
207.98.192.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
207.98.209.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
207.98.223.0/24 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
207.191.128.0/19 AS10887 BPSI-AS - BPSI Internet Services
207.204.168.0/24 AS15150 BELLTECH-AS - BELLWETHER TECHNOLOGY CORPORATION
207.204.222.0/24 AS22773 CCINET-2 - Cox Communications Inc.
207.204.248.0/24 AS6653 PRIVATEI - privateI, LLC
207.231.96.0/19 AS11194 NUNETPA - NuNet Inc.
207.254.192.0/19 AS11881
208.38.192.0/18 AS3043 AMPHIB-AS - Amphibian Media Corporation
208.38.192.0/21 AS14237 BEAMSPEED1 - Beamspeed
208.38.200.0/23 AS14237 BEAMSPEED1 - Beamspeed
208.38.202.0/24 AS14237 BEAMSPEED1 - Beamspeed
208.38.203.0/24 AS14237 BEAMSPEED1 - Beamspeed
208.38.204.0/22 AS14237 BEAMSPEED1 - Beamspeed
209.54.42.0/24 AS6653 PRIVATEI - privateI, LLC
209.54.93.0/24 AS22773 CCINET-2 - Cox Communications Inc.
209.54.111.0/24 AS22773 CCINET-2 - Cox Communications Inc.
209.54.123.0/24 AS6062 NETPLEX - NETPLEX
209.54.142.0/24 AS12284 IPNS-AS - Internet Professionals & Network Solutions
209.54.240.0/21 AS10887 BPSI-AS - BPSI Internet Services
209.105.224.0/19 AS20074
209.140.64.0/20 AS22307 SINGLEEDGE-AS - SingleEdge, Inc.
209.140.90.0/24 AS14461 NTSL - NET SOLUTIONS
209.140.224.0/21 AS10573 WEBNEXUS - WebNexus Communications Inc.
209.140.234.0/24 AS10573 WEBNEXUS - WebNexus Communications Inc.
209.140.235.0/24 AS10573 WEBNEXUS - WebNexus Communications Inc.
209.140.236.0/24 AS10573 WEBNEXUS - WebNexus Communications Inc.
209.140.237.0/24 AS10573 WEBNEXUS - WebNexus Communications Inc.
209.140.238.0/24 AS10573 WEBNEXUS - WebNexus Communications Inc.
209.140.239.0/24 AS10573 WEBNEXUS - WebNexus Communications Inc.
209.141.4.0/24 AS6653 PRIVATEI - privateI, LLC
209.141.16.0/21 AS10573 WEBNEXUS - WebNexus Communications Inc.
209.141.48.0/22 AS14461 NTSL - NET SOLUTIONS
209.141.104.0/24 AS6653 PRIVATEI - privateI, LLC
209.145.192.0/18 AS3043 AMPHIB-AS - Amphibian Media Corporation
209.145.204.0/22 AS14237 BEAMSPEED1 - Beamspeed
209.207.24.0/24 AS21829 JADETECH-NET - Jade Technologies, Inc.
209.207.36.0/24 AS21829 JADETECH-NET - Jade Technologies, Inc.
210.5.128.0/20 AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone
213.150.192.0/21 AS29571 CITelecom-AS
213.150.200.0/22 AS29571 CITelecom-AS
213.150.201.0/24 AS29338 AFOL-AS Used by Africaonline Operations
213.150.202.0/24 AS41042 SKYVISION SkyVision Network Services
216.37.114.0/23 AS3549 GBLX Global Crossing Ltd.
216.37.120.0/23 AS13377
216.59.0.0/17 AS3356 LEVEL3 Level 3 Communications
216.99.16.0/24 AS6395 LVLT-6395 - Level 3 Communications, Inc.
216.99.17.0/24 AS6395 LVLT-6395 - Level 3 Communications, Inc.
216.99.20.0/24 AS6395 LVLT-6395 - Level 3 Communications, Inc.
216.119.128.0/24 AS14345 CRESCENT-TECH - Crescent Technology
216.119.131.0/24 AS14345 CRESCENT-TECH - Crescent Technology
216.119.141.0/24 AS14345 CRESCENT-TECH - Crescent Technology
216.162.96.0/19 AS7393 CYBERCON - CYBERCON, INC.
216.172.198.0/24 AS22773 CCINET-2 - Cox Communications Inc.
216.172.199.0/24 AS22773 CCINET-2 - Cox Communications Inc.
216.210.86.0/24 AS577 BACOM - Bell Canada
216.240.240.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services
216.240.241.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services
216.240.242.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services
216.251.207.0/24 AS1239 SPRINTLINK - Sprint
217.78.71.0/24 AS12491 IPPLANET-AS IPPlanet
217.78.72.0/24 AS12491 IPPLANET-AS IPPlanet
217.78.73.0/24 AS12491 IPPLANET-AS IPPlanet
Please see http://www.cidr-report.org for the full report
------------------------------------
Copies of this report are mailed to:
nanog(a)merit.edu
eof-list(a)ripe.net
apops(a)apops.net
routing-wg(a)ripe.net
afnog(a)afnog.org
14 years, 3 months
- 1
- 0
Cisco Security Advisory: Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
by Cisco Systems Product Security Incident Response Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple DLSw Denial of Service
Vulnerabilities in Cisco IOS
Advisory ID: cisco-sa-20080326-dlsw
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
Revision 1.0
For Public Release 2008 March 26 1600 UTC (GMT)
Summary
=======
Cisco IOS contains multiple vulnerabilities in the Data-link
Switching (DLSw) feature that may result in a reload or memory leaks
when processing specially crafted UDP or IP Protocol 91 packets.
Cisco has released free software updates that address these
vulnerabilities. Workarounds are available to mitigate the effects of
these vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
Note: The March 26, 2008 publication includes five Security
Advisories. The Advisories all affect Cisco's Internetwork Operating
System (IOS). Each Advisory lists the releases that correct the
vulnerability described in the Advisory, and the Advisories also
detail the releases that correct the vulnerabilities in all five
Advisories. Please reference the following software table to find a
release which fixes all published Security Advisories as of March
26th, 2008.
* March 26th bundled IOS Advisory Table
http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml
Individual publication links are listed below:
* Cisco IOS Virtual Private Dial-up Network Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
* Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
* Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6
Dual-stack Routers
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
* Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor
32, Supervisor 720, or Route Switch Processor 720
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
* Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
This security advisory applies to all Cisco products that run any
version of affected Cisco IOS software configured for DLSw. Systems
that contain the DLSw feature, but do not have it enabled, are not
affected.
Routers enabled for DLSw contain a line in the configuration defining
a local DLSw peer. This configuration can be observed by issuing the
command "show running-config". Systems configured for DLSw contain
lines similar to the following:
"dlsw local-peer"
or
"dlsw local-peer peer-id <IP address>"
Any version of Cisco IOS prior to the versions which are listed in
the Software Versions and Fixes section below is vulnerable.
To determine the version of Cisco IOS software running on a Cisco
product, log in to the device and issue the show version command to
display the system banner. Cisco IOS Software will identify itself as
"Internetwork Operating System Software" or simply "IOS". On the next
line of output, the image name will be displayed between parentheses,
followed by "Version" and the IOS release name. Other Cisco devices
will not have the "show version" command or will give different
output.
The following example identifies a Cisco product running Cisco IOS
Software Release 12.3(6) with an installed image name of C3640-IS-M:
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-IS-M), Version 12.3(6), RELEASE SOFTWARE (fc3)
The next example shows a product running Cisco IOS Software Release
12.3(11)T3 with an image name of C3845-ADVIPSERVICESK9-M:
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.3(11)T3, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Additional information about Cisco IOS release naming can be found at
http://www.cisco.com/warp/public/620/1.html.
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS devices that are not configured for DLSw are not
vulnerable.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Data-link switching (DLSw) provides a means of transporting IBM
Systems Network Architecture (SNA) and network basic input/output
system (NetBIOS) traffic over an IP network. Cisco implementation of
DLSw also uses UDP port 2067 and IP Protocol 91 for Fast Sequenced
Transport (FST).
Multiple vulnerabilities exists in Cisco IOS when processing UDP and
IP protocol 91 packets. These vulnerabilities do not affect TCP
packet processing. A successful exploitation may result in a reload
of the system or a memory leak on the device, leading to a denial of
service (DoS) condition.
Cisco IOS devices configured for DLSw with "dlsw local-peer"
automatically listen for IP protocol 91 packets. A Cisco IOS device
that is configured for DLSw with the "dlsw local-peer peer-id
<IP-address>" command listen for IP protocol 91 packets and UDP port
2067.
Cisco IOS devices listen to IP protocol 91 packets when DLSw is
configured. However, it is only used if DLSw is configured for Fast
Sequenced Transport (FST). A DLSw FST peer configuration will contain
the following line:
"dlsw remote-peer 0 fst <ip-address>"
It is possible to disable UDP processing in DLSw with the "dlsw
udp-disable" command. However, disabling UDP only prevents the
sending of UDP packets, it does not prevent the device from receiving
and processing incoming UDP packets.
These vulnerabilities are documented in Cisco Bug ID CSCsk73104
and have been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2008-1152.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsk73104 - Handling of malformed packets by DLSW
CVSS Base Score - 7.8
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
CVSS Temporal Score - 6.4
Exploitability: Functional
Remediation Level: Official-Fix
Report Confidence: Confirmed
Impact
======
Successful exploitation of these vulnerabilities may result in the
reload of the device or memory leaks, leading to a DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+----------------------------------------+
| Major | Availability of Repaired |
| Release | Releases |
|------------+---------------------------|
| Affected | First Fixed | Recommended |
| 12.0-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0 | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.0(8)DA3 | |
| | are | |
| | vulnerable, | |
| | release | |
| 12.0DA | 12.0(8)DA3 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | migrate to | |
| | any release | |
| | in 12.2DA | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.0(7)DB | |
| | are | |
| | vulnerable, | |
| 12.0DB | release | 12.4(18a) |
| | 12.0(7)DB | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.4 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.0(7)DC | |
| | are | |
| | vulnerable, | |
| 12.0DC | release | 12.4(18a) |
| | 12.0(7)DC | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.4 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.0(17)S5 | |
| | are | |
| 12.0S | vulnerable, | 12.0(32)S10 |
| | release | |
| | 12.0(17)S5 | |
| | and later | |
| | are not | |
| | vulnerable; | |
|------------+-------------+-------------|
| 12.0SC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0SL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0SP | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0ST | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0SX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0SY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0SZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0T | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.0W | Vulnerable; | 12.0(3c)W5 |
| | contact TAC | (8) |
|------------+-------------+-------------|
| 12.0WC | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.0WT | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0XA | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.0XB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.0(2)XC2 | |
| | are | |
| | vulnerable, | |
| 12.0XC | release | 12.3(26) |
| | 12.0(2)XC2 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0XD | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0XE | first fixed | |
| | in 12.1E | |
|------------+-------------+-------------|
| 12.0XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0XG | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0XH | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.0(4)XI2 | |
| | are | |
| | vulnerable, | |
| 12.0XI | release | 12.3(26) |
| | 12.0(4)XI2 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.3 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.0(4)XJ5 | |
| | are | |
| | vulnerable, | |
| 12.0XJ | release | 12.3(26) |
| | 12.0(4)XJ5 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0XK | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.0XL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0XN | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0XQ | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0XR | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.0XS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.1-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1 | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1AA | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1AX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.1(22)AY1 | |
| | are | |
| 12.1AY | vulnerable, | 12.1(22) |
| | release | EA11 |
| | 12.1(22)AY1 | |
| | and later | |
| | are not | |
| | vulnerable; | |
|------------+-------------+-------------|
| 12.1AZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1CX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1DA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.1(4)DB1 | |
| | are | |
| | vulnerable, | |
| 12.1DB | release | 12.4(18a) |
| | 12.1(4)DB1 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.4 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.1(4)DC2 | |
| | are | |
| | vulnerable, | |
| 12.1DC | release | 12.4(18a) |
| | 12.1(4)DC2 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.1E | 12.1(27b)E4 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.1(11)EA1 | |
| | are | |
| 12.1EA | vulnerable, | 12.1(22) |
| | release | EA11 |
| | 12.1(11)EA1 | |
| | and later | |
| | are not | |
| | vulnerable; | |
|------------+-------------+-------------|
| 12.1EB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1EC | migrate to | 12.3(23)BC1 |
| | any release | |
| | in 12.2BC | |
|------------+-------------+-------------|
| 12.1EO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1EX | first fixed | |
| | in 12.1E | |
|------------+-------------+-------------|
| 12.1EY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1EZ | first fixed | |
| | in 12.1E | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1GA | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1GB | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1T | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XA | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1XB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XC | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XD | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1XE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XG | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XH | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XI | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XJ | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1XK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XM | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1XN | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XP | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XQ | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1XR | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XS | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.1(3)XT2 | |
| | are | |
| | vulnerable, | |
| 12.1XT | release | 12.3(26) |
| | 12.1(3)XT2 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1XU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.1(5)XV1 | |
| | are | |
| | vulnerable, | |
| 12.1XV | release | 12.3(26) |
| | 12.1(5)XV1 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XW | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XX | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XY | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XZ | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YA | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YB | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1YC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YD | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.1(5)YE1 | |
| | are | |
| | vulnerable, | |
| 12.1YE | release | 12.3(26) |
| | 12.1(5)YE1 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1YF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1YG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1YH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YI | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1YJ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.2-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2 | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2B | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2BC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2BW | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2BY | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2BZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2CX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2CY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2CZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2DA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2DD | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2DX | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2EU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EWA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2EX | migrate to | 12.2(40)EX1 |
| | any release | |
| | in 12.2SEA | |
|------------+-------------+-------------|
| 12.2EY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2FX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2FY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2FZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2IXA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXB | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXC | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXD | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| | migrate to | IXF; |
| 12.2IXE | any release | Available |
| | in 12.2IXF | on |
| | | 31-MAR-08 |
|------------+-------------+-------------|
| 12.2JA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2JK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2MB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2MC | 12.2(15) | 12.4(18a) |
| | MC2h | |
|------------+-------------+-------------|
| 12.2S | 12.2(25)S15 | 12.2(25)S15 |
|------------+-------------+-------------|
| | 12.2(28) | |
| | SB10 | |
| | | |
| | 12.2(31)SB9 | 12.2(28) |
| 12.2SB | | SB12 |
| | 12.2(33)SB; | |
| | Available | |
| | on | |
| | 31-MAR-08 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| | first fixed | |
| | in 12.2SB | |
| | | |
| 12.2SBC | Vulnerable; | 12.2(28) |
| | first fixed | SB12 |
| | in 12.2SB; | |
| | Available | |
| | on | |
| | 31-MAR-08 | |
|------------+-------------+-------------|
| 12.2SCA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SED | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SG | 12.2(44)SG | 12.2(44)SG |
|------------+-------------+-------------|
| 12.2SGA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SRA | 12.2(33) | 12.2(33) |
| | SRA6 | SRA7 |
|------------+-------------+-------------|
| | 12.2(33) | 12.2(33) |
| | SRB3; | SRB3; |
| 12.2SRB | Available | Available |
| | on | on |
| | 31-MAR-08 | 31-MAR-08 |
|------------+-------------+-------------|
| 12.2SRC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SU | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.2(29a) | |
| | SV1 are | |
| | vulnerable, | |
| | release | |
| 12.2SV | 12.2(29a) | 12.2(29b)SV |
| | SV1 and | |
| | later are | |
| | not | |
| | vulnerable; | |
| | migrate to | |
| | any release | |
| | in 12.2SVA | |
|------------+-------------+-------------|
| 12.2SVA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SVC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SVD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.2(25) | |
| | SW10 are | |
| | vulnerable, | |
| 12.2SW | release | |
| | 12.2(25) | |
| | SW10 and | |
| | later are | |
| | not | |
| | vulnerable; | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SX | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXA | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXB | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXD | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXE | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | 12.2(18) | |
| | SXF12 | |
| | | |
| 12.2SXF | 12.2(18) | 12.2(18) |
| | SXF12a | SXF13 |
| | | |
| | 12.2(18) | |
| | SXF13a | |
|------------+-------------+-------------|
| 12.2SXH | 12.2(33) | |
| | SXH1 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SY | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | | 12.2(25)S15 |
| | Vulnerable; | |
| 12.2SZ | first fixed | 12.2(28) |
| | in 12.2S | SB12 |
| | | |
| | | 12.2(33)SRC |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2T | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2TPC | 12.2(8) | |
| | TPC10d | |
|------------+-------------+-------------|
| 12.2UZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XA | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XB | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XC | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XD | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2XE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XG | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XH | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2XI | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XJ | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XK | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XL | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XM | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2XN | 12.2(33)XN1 | 12.3(26) |
|------------+-------------+-------------|
| 12.2XO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XQ | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2XR | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XT | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XU | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XV | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XW | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.2(4)YA8 | |
| | are | |
| | vulnerable, | |
| 12.2YA | release | 12.3(26) |
| | 12.2(4)YA8 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YB | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YC | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YD | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.2(25)S15 |
| | Vulnerable; | |
| 12.2YE | first fixed | 12.2(28) |
| | in 12.2S | SB12 |
| | | |
| | | 12.2(33)SRC |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YF | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2YG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YH | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.2(8)YJ1 | |
| | are | |
| | vulnerable, | |
| 12.2YJ | release | 12.3(26) |
| | 12.2(8)YJ1 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2YK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YL | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YM | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YN | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2YO | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| 12.2YP | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YQ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YR | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YT | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YU | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.2(11)YV1 | |
| | are | |
| | vulnerable, | |
| 12.2YV | release | 12.4(18a) |
| | 12.2(11)YV1 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YW | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YX | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YY | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.2(25)S15 |
| | Vulnerable; | |
| 12.2YZ | first fixed | 12.2(28) |
| | in 12.2S | SB12 |
| | | |
| | | 12.2(33)SRC |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2ZA | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZB | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2ZC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZD | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZE | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZF | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2ZG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.2(13)ZH6 | |
| | are | |
| | vulnerable, | |
| 12.2ZH | release | 12.2(13) |
| | 12.2(13)ZH6 | ZH11 |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZJ | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15)T4 |
| 12.2ZL | first fixed | |
| | in 12.4 | 12.4(18a) |
|------------+-------------+-------------|
| 12.2ZP | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(33) |
| 12.2ZU | first fixed | SXH2 |
| | in 12.2SXH | |
|------------+-------------+-------------|
| 12.2ZY | 12.2(18)ZY2 | 12.2(18)ZY2 |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.3-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| 12.3 | 12.3(24) | 12.3(26) |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3B | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3BC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3BW | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3EU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3JA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3JEA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3JEB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3JEC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.3(8)JK1 | |
| | are | |
| 12.3JK | vulnerable, | 12.3(8)JK1 |
| | release | |
| | 12.3(8)JK1 | |
| | and later | |
| | are not | |
| | vulnerable; | |
|------------+-------------+-------------|
| 12.3JL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3JX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3T | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3TPC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3VA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | 12.3(2)XA7; | 12.3(2)XA7; |
| 12.3XA | Available | Available |
| | on | on |
| | 31-MAR-08 | 31-MAR-08 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XB | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.4(15)T4 |
| 12.3XC | 12.3(2)XC5 | |
| | | 12.4(18a) |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XD | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | 12.3(2)XE6; | 12.4(15)T4 |
| 12.3XE | Available | |
| | on | 12.4(18a) |
| | 31-MAR-08 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XF | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| | first fixed | 12.4(15)T4 |
| 12.3XG | in 12.3YG; | |
| | Available | 12.4(18a) |
| | on | |
| | 16-JUN-08 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XH | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | 12.3(7) | |
| | XI11; | |
| 12.3XI | Available | |
| | on | |
| | 18-SEP-08 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.3(14) |
| 12.3XJ | first fixed | YX11 |
| | in 12.3YX | |
| | | 12.4(15)T4 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XK | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XQ | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | 12.3(7)XR8; | 12.3(7)XR8; |
| 12.3XR | Available | Available |
| | on | on |
| | 31-MAR-08 | 31-MAR-08 |
|------------+-------------+-------------|
| 12.3XS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XU | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.3(14) |
| 12.3XW | first fixed | YX11 |
| | in 12.3YX | |
| | | 12.4(15)T4 |
|------------+-------------+-------------|
| 12.3XY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3YA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3YD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | 12.3(14) |
| 12.3YF | first fixed | YX11 |
| | in 12.3YX | |
| | | 12.4(15)T4 |
|------------+-------------+-------------|
| | 12.3(8)YG7; | |
| 12.3YG | Available | 12.4(15)T4 |
| | on | |
| | 16-JUN-08 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YH | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YI | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YJ | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YK | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.3YM | 12.3(14) | 12.3(14) |
| | YM12 | YM12 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YQ | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | 12.3(11) | |
| | YS3; | |
| 12.3YS | Available | 12.4(15)T4 |
| | on | |
| | 31-MAR-08 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YT | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YU | first fixed | |
| | in 12.4XB | |
|------------+-------------+-------------|
| 12.3YX | 12.3(14) | 12.3(14) |
| | YX11 | YX11 |
|------------+-------------+-------------|
| 12.3YZ | 12.3(11)YZ3 | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.4-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| | 12.4(10c) | |
| | | |
| | 12.4(13e) | |
| | | |
| | 12.4(16b) | |
| 12.4 | | 12.4(18a) |
| | 12.4(17) | |
| | | |
| | 12.4(3h) | |
| | | |
| | 12.4(8d) | |
|------------+-------------+-------------|
| 12.4JA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JMA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JMB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JMC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | 12.4(15)MD; | |
| 12.4MD | Available | |
| | on | |
| | 09-MAY-08 | |
|------------+-------------+-------------|
| 12.4MR | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4SW | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | 12.4(15)T2 | |
| | | |
| 12.4T | 12.4(6)T10 | 12.4(15)T4 |
| | | |
| | 12.4(9)T7 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XA | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.4XB | 12.4(2)XB6 | |
|------------+-------------+-------------|
| 12.4XC | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.4XD | 12.4(4)XD10 | 12.4(4)XD10 |
|------------+-------------+-------------|
| 12.4XE | 12.4(6)XE2 | 12.4(15)T4 |
|------------+-------------+-------------|
| 12.4XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XG | 12.4(9)XG2 | 12.4(9)XG2 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XJ | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XK | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.4XL | 12.4(15)XL2 | |
|------------+-------------+-------------|
| 12.4XM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XN | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XT | 12.4(6)XT2 | 12.4(6)XT2 |
|------------+-------------+-------------|
| 12.4XV | 12.4(11)XV | |
|------------+-------------+-------------|
| 12.4XW | Vulnerable; | 12.4(11)XW6 |
| | contact TAC | |
|------------+-------------+-------------|
| 12.4XY | Not | |
| | Vulnerable | |
+----------------------------------------+
A special patch for Cisco IOS Software Modularity is also available
and can be downloaded from the Cisco IOS Software Modularity Patch
Navigator at http://tools.cisco.com/swdf/ionpn/jsp/main.jsp.
Workarounds
===========
The workaround consists of filtering UDP packets to port 2067 and IP
protocol 91 packets. Filters can be applied at network boundaries to
filter all IP protocol 91 packets and UDP packets to port 2067 or can
be applied on individual affected devices to permit such traffic only
from trusted peer IP addresses. However, since both of the protocols
are connectionless, it is possible for an attacker to spoof malformed
packets from legitimate peer IP addresses.
As soon as DLSw is configured, the Cisco IOS device begins listening
on IP protocol 91. However, this protocol is only used if DLSw is
configured for Fast Sequenced Transport (FST). A DLSw FST peer
configuration will contain the following line:
"dlsw remote-peer 0 fst <ip-address>"
If FST is used, filtering IP protocol 91 will break the operation, so
filters need to permit protocol 91 traffic from legitimate peer IP
addresses.
It is possible to disable UDP processing in DLSw with the "dlsw
udp-disable" command. However, disabling UDP only prevents the sending
of UDP packets, it does not prevent the receiving and processing of
incoming UDP packets. To protect a vulnerable device from malicious
packets via UDP port 2067, both of the following actions must be
taken:
1. Disable UDP outgoing packets with the "dlsw udp-disable" command,
AND
2. Filter UDP 2067 in the vulnerable device using infrastructure
ACL.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080326-dlsw.shtml
Using Control Plane Policing on Affected Devices
+-----------------------------------------------
Control Plane Policing (CoPP) can be used to block untrusted DLSw
traffic to the device. Cisco IOS software releases 12.0S, 12.2SX,
12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be
configured on a device to protect the management and control planes
to minimize the risk and effectiveness of direct infrastructure
attacks by explicitly permitting only authorized traffic sent to
infrastructure devices in accordance with existing security policies
and configurations. The following example, which uses 192.168.100.1
to represent a trusted host, can be adapted to your network. If FST
is not used, protocol 91 may be completely filtered. Additionally, if
UDP is disabled with the "dlsw udp-disable" command, UDP port 2067
may also be completely filtered.
!--- Deny DLSw traffic from trusted hosts to all IP addresses
!--- configured on all interfaces of the affected device so that
!--- it will be allowed by the CoPP feature
access-list 111 deny udp host 192.168.100.1 any eq 2067
access-list 111 deny 91 host 192.168.100.1 any
!--- Permit all other DLSw traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so that it
!--- will be policed and dropped by the CoPP feature
access-list 111 permit udp any any eq 2067
access-list 111 permit 91 any any
!--- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and Layer 4
!--- traffic in accordance with existing security policies and
!--- configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
class-map match-all drop-DLSw-class
match access-group 111
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
policy-map drop-DLSw-traffic
class drop-DLSw-class
drop
!--- Apply the Policy-Map to the Control-Plane of the
!--- device
control-plane
service-policy input drop-DLSw-traffic
In the above CoPP example, the access control entries (ACEs) which
match the potential exploit packets with the "permit" action result
in these packets being discarded by the policy-map "drop" function,
while packets that match the "deny" action (not shown) are not
affected by the policy-map drop function. Please note that in the
Cisco IOS 12.2S and 12.0S trains the policy-map syntax is different:
policy-map drop-DLSw-traffic
class drop-DLSw-class
police 32000 1500 1500 conform-action drop exceed-action drop
Additional information on the configuration and use of the CoPP
feature is available at
http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804f…
and http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_gui….
Using Infrastructure ACLs at Network Boundary
+--------------------------------------------
Although it is often difficult to block traffic transiting your
network, it is possible to identify traffic that should never be
allowed to target your infrastructure devices and block that traffic
at the border of your network. iACLs are a network security best
practice and should be considered as a long-term addition to good
network security as well as a workaround for this specific
vulnerability. The iACL example shown below should be included as
part of the deployed infrastructure access-list that will protect all
devices with IP addresses in the infrastructure IP address range. If
FST is not used, protocol 91 may be completely filtered.
Additionally, if UDP is disabled with the "dlsw udp-disable" command,
UDP port 2067 may also be completely filtered.
!--- Permit DLSw (UDP port 2067 and IP protocol 91) packets
!--- from trusted hosts destined to infrastructure addresses.
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 2067
access-list 150 permit 91 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
!--- Deny DLSw (UDP port 2067 and IP protocol 91) packets from
!--- all other sources destined to infrastructure addresses.
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2067
access-list 150 deny 91 any INFRASTRUCTURE_ADDRESSES MASK
!--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!--- with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any any
interface serial 2/0
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0…
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.ht…
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were found internally.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce(a)cisco.com
* first-teams(a)first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
* comp.dcom.sys.cisco(a)newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-Mar-26 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.….
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkfqS64ACgkQ86n/Gc8U/uD2DwCgloXg5P1/99amiSHmfy+hWxw4
j3YAnjEDUj724NtdpJQcDw2Ui4pKwu01
=ufq4
-----END PGP SIGNATURE-----
14 years, 3 months
- 1
- 0
Cisco Security Advisory: Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6 Dual-stack Routers
by Cisco Systems Product Security Incident Response Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS User Datagram Protocol Delivery
Issue For IPv4/IPv6 Dual-stack Routers
Advisory ID: cisco-sa-20080326-IPv4IPv6
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
Revision 1.0
For Public Release 2008 March 26 1600 UTC (GMT)
Summary
=======
A device running Cisco IOS software that has Internet Protocol
version 6 (IPv6) enabled may be subject to a denial of service (DoS)
attack. For the device to be affected by this vulnerability the
device also has to have certain Internet Protocol version 4 (IPv4)
User Datagram Protocol (UDP) services enabled. To exploit this
vulnerability an offending IPv6 packet must be targeted to the
device. Packets that are routed throughout the router can not trigger
this vulnerability. Successful exploitation will prevent the
interface from receiving any additional traffic. The only exception
is Resource Reservation Protocol (RSVP) service, which if exploited,
will cause the device to crash. Only the interface on which the
vulnerability was exploited will be affected.
Cisco is providing fixed software to address this issue. There are
workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
Note: The March 26, 2008 publication includes five Security
Advisories. The Advisories all affect Cisco's Internetwork Operating
System (IOS). Each Advisory lists the releases that correct the
vulnerability described in the Advisory, and the Advisories also
detail the releases that correct the vulnerabilities in all five
Advisories. Please reference the following software table to find a
release which fixes all published Security Advisories as of March
26th, 2008.
* March 26th bundled IOS Advisory Table
http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml
Individual publication links are listed below:
* Cisco IOS Virtual Private Dial-up Network Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
* Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
* Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6
Dual-stack Routers
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
* Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor
32, Supervisor 720, or Route Switch Processor 720
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
* Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
Only Cisco IOS software releases that have IPv6 enabled are affected
by this vulnerability. In order to be vulnerable both support for
IPv6 protocol and IPv4 UDP-based services must be enabled on the
device. The IPv6 is not enabled by default in Cisco IOS software.
To determine the software running on a Cisco IOS product, log in to
the device and issue the show version command to display the system
banner. Cisco IOS software will identify itself as "Internetwork
Operating System Software" or simply "IOS." On the next line of
output, the image name will be displayed between parentheses,
followed by "Version" and the Cisco IOS software release name. Other
Cisco devices will not have the show version command, or will give
different output.
The following example shows output from a device running a Cisco IOS
image:
Router>show version
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T2, RELEASE SOFTWARE (fc7)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 17-Jan-08 23:12 by prod_rel_team
Additional information about Cisco IOS software release naming is
available at the following link:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper….
In order for an interface to be vulnerable two conditions must be
satisfied:
1. An interface must have IPv6 enabled.
2. One or more of the following IPv4 UDP-based services must be
enabled:
TACACS - port 49
Domain Name System (DNS) server - port 53
Resource Reservation Protocol (RSVP) - port 1698
Layer Two Forwarding (L2F)/Layer Two Tunnel Protocol (L2TP) -
port 1701
IP SLA Responder - port 1967
Media Gateway Control Protocol (MGCP) - port 2427
Session Initiation Protocol (SIP) - port 5060
No other IPv4 UDP-based services are known to be affected.
How To Verify If IPv6 Is Enabled
+-------------------------------
IPv6 protocol is enabled on an interface if either or both of the
following configuration lines are present in the configuration:
Router#show running-config
interface FastEthernet0/1
ipv6 address 2001:0DB8:C18:1::/64 eui-64
Router#show running-config
interface FastEthernet0/1
ipv6 enabled
If any of the interfaces contain either or both of the ipv6 lines
then IPv6 is enabled on that particular interface.
How To Verify If IPv4 UDP-based Services Are Enabled
+---------------------------------------------------
To determine whether device is affected or not, use the show ip
sockets command to display all UDP ports device is listening to. In
some newer IOS releases the command show ip sockets is obsoleted, and
the alternate command show udp can be used instead. The output is
identical to the show ip sockets command.
The device is vulnerable if the Local Port column (fifth from the
left) in the output of show ip sockets contains any of the port
numbers listed in the example below.
Router#show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 192.168.100.1 49 192.168.100.2 49 0 0 11 0
17 0.0.0.0 0 192.168.100.2 53 0 0 211 0
17 --listen-- 192.168.100.2 1698 0 0 1 0
17 192.168.100.1 1701 192.168.100.2 1701 1 0 1021 0
17 0.0.0.0 0 192.168.100.2 1967 0 0 211 0
17 0.0.0.0 0 --any-- 2427 0 0 211 0
17 0.0.0.0 0 --any-- 5060 0 0 211 0
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by this
vulnerability.
Any device running Cisco IOS without IPv6 enabled is not vulnerable.
Cisco IOS XR and Cisco PIX/ASA are not affected.
Details
=======
To exploit this vulnerability an offending IPv6 packet must be
targeted to the device. Packets that are routed throughout the router
can not trigger this vulnerability. Successful exploitation of the
vulnerability may result in one of the following two conditions:
1. The device will crash if RSVP service is configured on the
interface.
2. Any other affected IPv4 UDP-based service will prevent the
interface from receiving additional traffic. Only the interface
on which the vulnerability is exploited will be affected.
This vulnerability is independent of the interface media type. A
blocked interface will immediately stop receiving any subsequent
packets destined to the device itself until it is unblocked. It is
possible to unblock the interface using methods other than a device
reload. These methods are described in the Workarounds section. All
other interfaces are unaffected and will continue receiving and
transmitting packets.
Blocked interface may allow transit traffic to flow for a period of
time. Transit traffic may continue to flow until either the
respective routing entry or Address Resolution Protocol (ARP) entry
expires, whichever event occurs first. Depending on the circumstances
the transit traffic can stop flowing through the blocked interface
within a few seconds or continue up to four hours (which is the ARP
cache default lifetime). After that no further transit traffic will
flow through the blocked interface.
No other IPv4 UDP-based services are known to be affected by this
vulnerability.
This vulnerability is documented in Cisco Bug ID CSCse56501, and has
been assigned the Common Vulnerabilities and Exposures (CVE) ID
CVE-2008-1153.
Identification Of Vulnerability Exploitation
+-------------------------------------------
The show interfaces command can be used to view the input queue size
to identify a blocked input interface. A device under attack, but not
yet blocked will show the Input queue size increasing without a
subsequent decrease. If the current size (in this case, 76) is larger
than the maximum size (75), the input queue is blocked. The value of
75 is the default value and it can be changed using the interface
command hold-queue X in .
Router#show interfaces FastEthernet 0/1 | include queue
Input queue: 76/75/0/0 (size/max/drops/flushes); Total output drops: 0
Output queue: 0/40 (size/max)
The example above shows that the interface FastEthernet0/1 is
blocked.
The show ip sockets command can be used to determine which protocol
blocks the interface. If In column (sixth from the left) of the
output contains any other number than zero (0) that is an indication
that packets of that particular protocol are blocking, or starting to
block, the interface. The following example shows DNS packets that
are beginning to fill the input queue of the interface. The interface
is not completely blocked because only 13 packets are in the input
queue.
Router#show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 192.168.100.1 49 192.168.100.2 49 0 0 11 0
17 0.0.0.0 0 192.168.100.2 53 13 0 211 0
17 --listen-- 192.168.100.2 1698 0 0 1 0
17 192.168.100.1 1701 192.168.100.2 1701 1 0 1021 0
17 0.0.0.0 0 192.168.100.2 1967 0 0 211 0
17 0.0.0.0 0 --any-- 2427 0 0 211 0
17 0.0.0.0 0 --any-- 5060 0 0 211 0
The output of the show ip sockets command does not provide
information on interfaces. It is possible that packets from multiple
protocols may be blocking a single interface. The output of the
command must be interpreted with the device's configuration to
establish the affected port.
Additional methods that can be used to detect blocked interfaces are
described in "Cisco Applied Mitigation Bulletin: User Datagram
Protocol Delivery Issue For IPv4/IPv6 Dual-Stack Routers" document
available at
http://www.cisco.com/warp/public/707/cisco-amb-20080326-IPv4IPv6.shtml.
The method utilizes Embedded Event Manager (EEM) and Applets or an
EEM Script.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCse56501 - UDP delivery issue when IPv4 and IPv6 are bound to the
same socket
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability can result in one of the
following two conditions:
1. The device will crash if RSVP service is configured on the
interface.
2. Any other affected IPv4 UDP-based service will prevent the
interface from receiving additional traffic. Only the interface
on which the vulnerability is exploited will be affected.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+----------------------------------------+
| Major | Availability of Repaired |
| Release | Releases |
|------------+---------------------------|
| Affected | First Fixed | Recommended |
| 12.0-Based | Release | Release |
| Releases | | |
|----------------------------------------|
| There are no affected 12.0 based |
| releases |
|----------------------------------------|
| Affected | First Fixed | Recommended |
| 12.1-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| 12.1 | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1AA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1AX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1AY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1AZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1CX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1DA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1DB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1DC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1E | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1GA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1GB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1T | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XI | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XJ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XN | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XP | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XQ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XR | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XT | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XU | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XV | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1XW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1YA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YB | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YC | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YD | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.1(5)YE6 | |
| | are | |
| | vulnerable, | |
| 12.1YE | release | 12.3(26) |
| | 12.1(5)YE6 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YF | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1YG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YH | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YI | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1YJ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.2-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| 12.2 | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2B | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2BC | first fixed | 12.3(23)BC1 |
| | in 12.3BC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2BW | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2BY | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2BZ | first fixed | |
| | in 12.3XI | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2CX | first fixed | 12.3(23)BC1 |
| | in 12.3BC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2CY | first fixed | 12.3(23)BC1 |
| | in 12.3BC | |
|------------+-------------+-------------|
| 12.2CZ | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2DA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2DD | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2DX | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.2(25) |
| | | EWA13 |
| | Vulnerable; | |
| 12.2EU | first fixed | 12.2(31) |
| | in 12.2SG | SGA5 |
| | | |
| | | 12.2(44)SG |
|------------+-------------+-------------|
| | | 12.2(25) |
| | | EWA13 |
| | Vulnerable; | |
| 12.2EW | first fixed | 12.2(31) |
| | in 12.2SG | SGA5 |
| | | |
| | | 12.2(44)SG |
|------------+-------------+-------------|
| | 12.2(25) | |
| | EWA10 | 12.2(25) |
| 12.2EWA | | EWA13 |
| | 12.2(25) | |
| | EWA11 | |
|------------+-------------+-------------|
| | 12.2(35)EX1 | |
| 12.2EX | | 12.2(40)EX1 |
| | 12.2(37)EX | |
|------------+-------------+-------------|
| 12.2EY | 12.2(37)EY | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2EZ | first fixed | |
| | in 12.2SEE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2FX | first fixed | |
| | in 12.2SEE | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(25) |
| 12.2FY | first fixed | SEG4 |
| | in 12.2SEG | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2FZ | first fixed | 12.2(44)SE1 |
| | in 12.2SE | |
|------------+-------------+-------------|
| 12.2IXA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXB | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXC | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXD | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2JA | first fixed | |
| | in 12.3JA | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2JK | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.2MB | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2MC | 12.2(15) | 12.4(18a) |
| | MC2h | |
|------------+-------------+-------------|
| | 12.2(14)S18 | |
| | | |
| | 12.2(18)S13 | |
| 12.2S | | 12.2(25)S15 |
| | 12.2(20)S14 | |
| | | |
| | 12.2(25)S13 | |
|------------+-------------+-------------|
| | 12.2(28)SB7 | |
| | | |
| | 12.2(31)SB5 | |
| 12.2SB | | 12.2(28) |
| | 12.2(33)SB; | SB12 |
| | Available | |
| | on | |
| | 31-MAR-2008 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| | first fixed | |
| 12.2SBC | in 12.2SB; | 12.2(28) |
| | Available | SB12 |
| | on | |
| | 31-MAR-2008 | |
|------------+-------------+-------------|
| 12.2SCA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | 12.2(35)SE4 | |
| 12.2SE | | 12.2(44)SE1 |
| | 12.2(37)SE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SEA | first fixed | |
| | in 12.2SEE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SEB | first fixed | |
| | in 12.2SEE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SEC | first fixed | |
| | in 12.2SEE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SED | first fixed | |
| | in 12.2SEE | |
|------------+-------------+-------------|
| 12.2SEE | 12.2(25) | |
| | SEE4 | |
|------------+-------------+-------------|
| 12.2SEF | 12.2(25) | 12.2(44)SE1 |
| | SEF3 | |
|------------+-------------+-------------|
| 12.2SEG | 12.2(25) | 12.2(25) |
| | SEG3 | SEG4 |
|------------+-------------+-------------|
| | 12.2(25)SG3 | |
| | | |
| 12.2SG | 12.2(31)SG3 | 12.2(44)SG |
| | | |
| | 12.2(37)SG | |
|------------+-------------+-------------|
| | 12.2(31) | |
| | SGA2 | |
| | | |
| | 12.2(31) | |
| | SGA3 | 12.2(31) |
| 12.2SGA | | SGA5 |
| | 12.2(31) | |
| | SGA6; | |
| | Available | |
| | on | |
| | 07-APR-2008 | |
|------------+-------------+-------------|
| 12.2SL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SM | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SO | migrate to | 12.2(29)SVD |
| | any release | |
| | in 12.2SVA | |
|------------+-------------+-------------|
| 12.2SRA | 12.2(33) | 12.2(33) |
| | SRA4 | SRA7 |
|------------+-------------+-------------|
| | | 12.2(33) |
| | 12.2(33) | SRB3; |
| 12.2SRB | SRB1 | Available |
| | | on |
| | | 31-MAR-2008 |
|------------+-------------+-------------|
| 12.2SRC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SU | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2SV | 12.2(29b)SV | 12.2(29b)SV |
|------------+-------------+-------------|
| 12.2SVA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SVC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SVD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SW | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SX | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXA | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXB | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXD | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXE | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | 12.2(18) | |
| | SXF10a | |
| | | |
| | 12.2(18) | |
| | SXF12a | 12.2(18) |
| 12.2SXF | | SXF13 |
| | 12.2(18) | |
| | SXF13a | |
| | | |
| | 12.2(18) | |
| | SXF9 | |
|------------+-------------+-------------|
| 12.2SXH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SY | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | | 12.2(25)S15 |
| | Vulnerable; | |
| 12.2SZ | first fixed | 12.2(28) |
| | in 12.2S | SB12 |
| | | |
| | | 12.2(33)SRC |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2T | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2TPC | 12.2(8) | |
| | TPC10b | |
|------------+-------------+-------------|
| | Vulnerable; | |
| | first fixed | |
| 12.2UZ | in 12.2SB; | 12.2(28) |
| | Available | SB12 |
| | on | |
| | 31-MAR-2008 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XA | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XB | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XC | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XD | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XE | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XF | first fixed | 12.3(23)BC1 |
| | in 12.3BC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XG | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XH | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XI | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XJ | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XK | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XL | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XM | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2XN | 12.2(33)XN1 | 12.3(26) |
|------------+-------------+-------------|
| 12.2XO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XQ | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XR | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2XS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XT | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XU | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XV | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XW | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | 12.2(4) | |
| | YA13; | |
| 12.2YA | Available | 12.3(26) |
| | on | |
| | 31-MAR-2008 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YB | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YC | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YD | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.2(25)S15 |
| | Vulnerable; | |
| 12.2YE | first fixed | 12.2(28) |
| | in 12.2S | SB12 |
| | | |
| | | 12.2(33)SRC |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YF | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YG | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YH | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YJ | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YK | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YL | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YM | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YN | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2YO | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YP | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YQ | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YR | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2YS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YT | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YU | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YV | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YW | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YX | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YY | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.2(25)S15 |
| | Vulnerable; | |
| 12.2YZ | first fixed | 12.2(28) |
| | in 12.2S | SB12 |
| | | |
| | | 12.2(33)SRC |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2ZA | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZB | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZC | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2ZD | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZE | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZF | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15)T4 |
| 12.2ZG | first fixed | |
| | in 12.3YG | 12.4(18a) |
|------------+-------------+-------------|
| 12.2ZH | 12.2(13)ZH9 | 12.2(13) |
| | | ZH11 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZJ | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15)T4 |
| 12.2ZL | first fixed | |
| | in 12.4 | 12.4(18a) |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZP | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZU | migrate to | 12.2(33) |
| | any release | SXH2 |
| | in 12.2SXH | |
|------------+-------------+-------------|
| 12.2ZY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.3-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| | 12.3(17c) | |
| | | |
| | 12.3(18a) | |
| 12.3 | | 12.3(26) |
| | 12.3(19a) | |
| | | |
| | 12.3(23) | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3B | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | 12.3(17b) | |
| | BC8 | |
| | | |
| 12.3BC | 12.3(21a) | 12.3(23)BC1 |
| | BC2 | |
| | | |
| | 12.3(23)BC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3BW | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3EU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | 12.3(11)JA4 | |
| 12.3JA | | |
| | 12.3(7)JA5 | |
|------------+-------------+-------------|
| 12.3JEA | 12.3(8)JEA2 | 12.3(8)JEA4 |
|------------+-------------+-------------|
| 12.3JEB | 12.3(8)JEB1 | 12.3(8)JEB2 |
|------------+-------------+-------------|
| 12.3JEC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | 12.3(2)JK3 | |
| 12.3JK | | 12.3(8)JK1 |
| | 12.3(8)JK | |
|------------+-------------+-------------|
| 12.3JL | 12.3(2)JL2 | 12.3(2)JL4 |
|------------+-------------+-------------|
| 12.3JX | 12.3(7)JX9 | 12.3(7)JX10 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3T | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3TPC | 12.3(4) | |
| | TPC11b | |
|------------+-------------+-------------|
| 12.3VA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | | 12.3(2)XA7; |
| 12.3XA | 12.3(2)XA6 | Available |
| | | on |
| | | 31-MAR-2008 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XB | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.4(15)T4 |
| 12.3XC | 12.3(2)XC5 | |
| | | 12.4(18a) |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XD | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | 12.3(2)XE6; | 12.4(15)T4 |
| 12.3XE | Available | |
| | on | 12.4(18a) |
| | 31-MAR-2008 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XF | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15)T4 |
| 12.3XG | first fixed | |
| | in 12.3YG | 12.4(18a) |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XH | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3XI | 12.3(7)XI10 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.3(14) |
| 12.3XJ | first fixed | YX11 |
| | in 12.3YX | |
| | | 12.4(15)T4 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XK | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XQ | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.3(7)XR8; |
| 12.3XR | 12.3(7)XR7 | Available |
| | | on |
| | | 31-MAR-2008 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XS | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XU | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.3(14) |
| 12.3XW | first fixed | YX11 |
| | in 12.3YX | |
| | | 12.4(15)T4 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XY | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15)T4 |
| 12.3YA | first fixed | |
| | in 12.4 | 12.4(18a) |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YD | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.3(14) |
| 12.3YF | first fixed | YX11 |
| | in 12.3YX | |
| | | 12.4(15)T4 |
|------------+-------------+-------------|
| 12.3YG | 12.3(8)YG6 | 12.4(15)T4 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YH | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YI | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YJ | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.3YK | 12.3(11)YK3 | 12.4(15)T4 |
|------------+-------------+-------------|
| 12.3YM | 12.3(14) | 12.3(14) |
| | YM10 | YM12 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YQ | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | 12.3(11) | |
| | YS3; | |
| 12.3YS | Available | 12.4(15)T4 |
| | on | |
| | 31-MAR-2008 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YT | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YU | first fixed | |
| | in 12.4XB | |
|------------+-------------+-------------|
| 12.3YX | 12.3(14)YX8 | 12.3(14) |
| | | YX11 |
|------------+-------------+-------------|
| 12.3YZ | 12.3(11)YZ2 | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.4-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| | 12.4(10c) | |
| | | |
| | 12.4(12) | |
| | | |
| | 12.4(17a) | |
| | | |
| 12.4 | 12.4(3h) | 12.4(18a) |
| | | |
| | 12.4(5c) | |
| | | |
| | 12.4(7e) | |
| | | |
| | 12.4(8d) | |
|------------+-------------+-------------|
| 12.4JA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JMA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JMB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JMC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4MD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4MR | 12.4(12)MR | 12.4(16)MR2 |
|------------+-------------+-------------|
| 12.4SW | 12.4(11)SW3 | 12.4(15)SW |
|------------+-------------+-------------|
| | 12.4(11)T2 | |
| | | |
| | 12.4(15)T | |
| | | |
| | 12.4(2)T6 | |
| 12.4T | | 12.4(15)T4 |
| | 12.4(4)T8 | |
| | | |
| | 12.4(6)T8 | |
| | | |
| | 12.4(9)T3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XA | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.4XB | 12.4(2)XB6 | |
|------------+-------------+-------------|
| 12.4XC | 12.4(4)XC7 | |
|------------+-------------+-------------|
| 12.4XD | 12.4(4)XD7 | 12.4(4)XD10 |
|------------+-------------+-------------|
| 12.4XE | 12.4(6)XE2 | 12.4(15)T4 |
|------------+-------------+-------------|
| 12.4XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XG | 12.4(9)XG2 | 12.4(9)XG2 |
|------------+-------------+-------------|
| 12.4XJ | 12.4(11)XJ4 | 12.4(15)T4 |
|------------+-------------+-------------|
| 12.4XK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XN | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XT | 12.4(6)XT1 | 12.4(6)XT2 |
|------------+-------------+-------------|
| 12.4XV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XY | Not | |
| | Vulnerable | |
+----------------------------------------+
Workarounds
===========
A blocked interface can be unblocked by disabling the UDP service
whose packets are blocking the interface. This procedure can restore
normal operation of the interface without rebooting the device. The
procedure for disabling vulnerable services are described in the "If
IPv4 UDP-based Services Are Not Required" section.
The following workarounds are options that may be available depending
on the Cisco IOS software running on the device and the operating
environment. The workarounds depend on whether IPv6 or any of the
affected UDP services are required for the normal operation.
If IPv6 Protocol Is Not Required
+-------------------------------
Disable IPv6. To disable IPv6 use the following commands:
Router(config)#interface FastEthernet0/0
Router(config-if)#no ipv6 address
or
Router(config)#interface FastEthernet0/0
Router(config-if)#no ipv6 enable
If RSVP is the only affected service that is configured it is
sufficient to disable IPv6 only on the interface where RSVP is
configured. If any other affected UDP service is present on the
device then IPv6 would have to be disabled from all interfaces.
If IPv4 UDP-based Services Are Not Required
+------------------------------------------
Disable all affected IPv4 UDP-based services.
Disabling TACACS
+---------------
To disable TACACS use the following commands:
Router(config)#no tacacs-server host <IP-address>
or
Router(config)#no tacacs-server administration
Disabling DNS
+------------
To disable DNS use the following command:
Router(config)#no ip dns server
Disabling RSVP
+-------------
To disable RSVP use the following commands:
Router(config)#interface <Interface>
Router(config)#no ip rsvp bandwidth
Disabling L2F/L2TP
+-----------------
To disable L2F/L2TP use the following commands:
Router(config)#clear vpdn tunnel l2tp all
Router(config)#no vpdn-group <group-name>
Router(config)#no vpdn enable
Disabling IP SLA Responder
+-------------------------
To disable IP SLA Responder use the following command:
Router(config)#no ip sla monitor responder
Disabling MGCP
+-------------
To disable MGCP use the following command:
Router(config)#no mgcp
Disabling SIP
+------------
To disable SIP use the following commands:
Router(config)#sip-ua
Router(config-sip-ua)#no transport udp
Router(config-sip-ua)#no transport tcp
If IPv4 UDP-based Services Are Required
+---------------------------------------
By deploying IPv6 Access Control List (ACL) it is possible to prevent
offending IPv6 packets reaching vulnerable UDP services. The ACL in
the following example will block all IPv6 traffic from reaching
vulnerable services.
Router(config)#ipv6 access-list protect_IPv4_services
Router(config-ipv6-acl)#deny udp any 2001:DB8:1:128::/64 eq tacacs
Router(config-ipv6-acl)#deny udp any 2001:DB8:1:128::/64 eq domain
Router(config-ipv6-acl)#deny udp any 2001:DB8:1:128::/64 eq 1698
Router(config-ipv6-acl)#deny udp any 2001:DB8:1:128::/64 eq 1701
Router(config-ipv6-acl)#deny udp any 2001:DB8:1:128::/64 eq 1967
Router(config-ipv6-acl)#deny udp any 2001:DB8:1:128::/64 eq 2427
Router(config-ipv6-acl)#deny udp any 2001:DB8:1:128::/64 eq 5060
!-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations
!
!-- Allow all other IPv6 traffic
Router(config-ipv6-acl)#permit ipv6 any 2001:db8:1:128::/64
!
!
Router(config)#interface FastEthernet0/1
Router(config-if)#ipv6 traffic-filter protect_IPv4_services in
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080326-IPv4IPv6.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.ht…
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was encountered in customer networks.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce(a)cisco.com
* first-bulletin(a)first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
* comp.dcom.sys.cisco(a)newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-Mar-26 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.….
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkfqS4gACgkQ86n/Gc8U/uAm/ACggxEFIL0aetfoQ27m64AVtqnj
ppcAnjzf09ihO63iGHlZl3X4PAeo7L2I
=y1wT
-----END PGP SIGNATURE-----
14 years, 3 months
- 1
- 0
Cisco Security Advisory: Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
by Cisco Systems Product Security Incident Response Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Multicast Virtual Private Network
(MVPN) Data Leak
Advisory ID: cisco-sa-20080326-mvpn
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
Revision 1.0
For Public Release 2008 March 26 1600 UTC (GMT)
Summary
=======
A vulnerability in the Cisco implementation of Multicast Virtual
Private Network (MVPN) is subject to exploitation that can allow a
malicious user to create extra multicast states on the core routers
or receive multicast traffic from other Multiprotocol Label Switching
(MPLS) based Virtual Private Networks (VPN) by sending specially
crafted messages.
Cisco has released free software updates that address this
vulnerability. Workarounds that mitigate this vulnerability are
available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
Note: The March 26, 2008 publication includes five Security
Advisories. The Advisories all affect Cisco IOS. Each Advisory lists
the releases that correct the vulnerability described in the
Advisory, and the Advisories also detail the releases that correct
the vulnerabilities in all five Advisories. Please reference the
following software table to find a release that fixes all published
Security Advisories as of March 26th, 2008.
* March 26th bundled IOS Advisory Table
http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml
Individual publication links are listed below:
* Cisco IOS Virtual Private Dial-up Network Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
* Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
* Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6
Dual-stack Routers
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
* Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor
32, Supervisor 720, or Route Switch Processor 720
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
* Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
Affected Products
=================
Vulnerable Products
+------------------
Devices that run Cisco IOS and are configured for MVPN are affected.
An IOS device that is configured for MVPN has a line that is similar
to this in the running configuration example:
mdt default <group-address>
In order to determine the software that runs on a Cisco IOS product,
log in to the device and issue the show version command to display
the system banner. Cisco IOS? software identifies itself as
"Internetwork Operating System Software" or simply "IOS." On the next
line of output, the image name displays between parentheses, followed
by "Version" and the Cisco IOS release name. Other Cisco devices do
not have the "show version" command or give different output.
The following example shows output from a device that runs an IOS
image:
Router>show version
Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(14)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Thu 31-Mar-05 08:04 by yiyan
Additional information about Cisco IOS release naming is available at
the following link:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper….
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products, including IOS XR software, are currently
known to be affected by this vulnerability.
Details
=======
MVPN architecture introduces an additional set of protocols and
procedures that help enable a service provider to support multicast
traffic in an MPLS VPN. MVPN allows the transparent transport of IP
multicast traffic across the MPLS VPN backbone of a provider and
allows a service provider to offer multicast services to MPLS VPN
customers.
A vulnerability exists in the implementation of MVPN that allows an
attacker to send specially crafted Multicast Distribution Tree (MDT)
Data Join messages that can cause the creation of extra multicast
states on the core routers. MDT Data Join messages can be sent in
unicast or multicast. The vulnerability can also allow leaking
multicast traffic from different MPLS VPNs. It is possible to receive
multicast traffic from VPNs that are not connected to the same
Provider Edge (PE) router. In order to successfully exploit this
vulnerability, an attacker needs to know or guess the Border Gateway
Protocol (BGP) peering IP address of a remote PE router and the
address of the multicast group that is used in other MPLS VPNs.
This vulnerability is documented in the Cisco Bug ID CSCsi01470
and has been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2008-1156.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
Version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsi01470 - Crafted MDT Data Join TLV in VRF causes multicast state
CVSS Base Score - 7.5
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
CVSS Temporal Score - 6.2
Exploitability: Functional
Remediation Level: Official-Fix
Report Confidence: Confirmed
Impact
======
Successful exploitation of the vulnerability can result in the
creation of extra multicast states on the core routers or the leaking
of multicast traffic from one MPLS VPN to another.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+----------------------------------------+
| Major | Availability of Repaired |
| Release | Releases |
|------------+---------------------------|
| Affected | First Fixed | Recommended |
| 12.0-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| 12.0 | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0DA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0DB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0DC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | 12.0(32)S9 | |
| 12.0S | | 12.0(32)S10 |
| | 12.0(33)S | |
|------------+-------------+-------------|
| 12.0SC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0SL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0SP | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0ST | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0SX | first fixed | 12.0(32)S10 |
| | in 12.0S | |
|------------+-------------+-------------|
| 12.0SY | 12.0(32)SY4 | 12.0(32)SY5 |
|------------+-------------+-------------|
| 12.0SZ | 12.0(30)SZ4 | 12.0(32)S10 |
|------------+-------------+-------------|
| 12.0T | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0W | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0WC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0WT | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XI | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XJ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XN | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XQ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XR | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.1-Based | Release | Release |
| Releases | | |
|----------------------------------------|
| There are no affected 12.1 based |
| releases |
|----------------------------------------|
| Affected | First Fixed | Recommended |
| 12.2-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| 12.2 | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2B | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2BC | first fixed | 12.3(23)BC1 |
| | in 12.3BC | |
|------------+-------------+-------------|
| 12.2BW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2BY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2BZ | first fixed | |
| | in 12.3XI | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2CX | first fixed | 12.3(23)BC1 |
| | in 12.3BC | |
|------------+-------------+-------------|
| 12.2CY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2CZ | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2DA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2DD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2DX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | | 12.2(25) |
| | | EWA13 |
| | Vulnerable; | |
| 12.2EU | first fixed | 12.2(31) |
| | in 12.2SG | SGA5 |
| | | |
| | | 12.2(44)SG |
|------------+-------------+-------------|
| | | 12.2(25) |
| | | EWA13 |
| | Vulnerable; | |
| 12.2EW | first fixed | 12.2(31) |
| | in 12.2SG | SGA5 |
| | | |
| | | 12.2(44)SG |
|------------+-------------+-------------|
| | 12.2(25) | |
| | EWA10 | 12.2(25) |
| 12.2EWA | | EWA13 |
| | 12.2(25) | |
| | EWA11 | |
|------------+-------------+-------------|
| 12.2EX | 12.2(37)EX | 12.2(40)EX1 |
|------------+-------------+-------------|
| 12.2EY | 12.2(37)EY | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2EZ | first fixed | |
| | in 12.2SEE | |
|------------+-------------+-------------|
| 12.2FX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2FY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2FZ | first fixed | 12.2(44)SE1 |
| | in 12.2SE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2IXA | first fixed | |
| | in 12.2IXD | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2IXB | first fixed | |
| | in 12.2IXD | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2IXC | first fixed | |
| | in 12.2IXD | |
|------------+-------------+-------------|
| 12.2IXD | 12.2(18) | |
| | IXD1 | |
|------------+-------------+-------------|
| 12.2IXE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2JA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2JK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2MB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2MC | 12.2(15) | 12.4(18a) |
| | MC2h | |
|------------+-------------+-------------|
| | 12.2(14)S18 | |
| | | |
| | 12.2(18)S13 | |
| 12.2S | | 12.2(25)S15 |
| | 12.2(20)S14 | |
| | | |
| | 12.2(25)S13 | |
|------------+-------------+-------------|
| | 12.2(28)SB7 | |
| | | |
| | 12.2(31)SB5 | |
| 12.2SB | | 12.2(28) |
| | 12.2(33)SB; | SB12 |
| | Available | |
| | on | |
| | 31-MAR-08 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| | first fixed | |
| 12.2SBC | in 12.2SB; | 12.2(28) |
| | Available | SB12 |
| | on | |
| | 31-MAR-08 | |
|------------+-------------+-------------|
| 12.2SCA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | 12.2(35)SE4 | |
| 12.2SE | | 12.2(44)SE1 |
| | 12.2(37)SE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SEA | first fixed | |
| | in 12.2SEE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SEB | first fixed | |
| | in 12.2SEE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SEC | first fixed | |
| | in 12.2SEE | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SED | first fixed | |
| | in 12.2SEE | |
|------------+-------------+-------------|
| 12.2SEE | 12.2(25) | |
| | SEE4 | |
|------------+-------------+-------------|
| 12.2SEF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEG | 12.2(25) | 12.2(25) |
| | SEG3 | SEG4 |
|------------+-------------+-------------|
| | 12.2(25)SG2 | |
| | | |
| | 12.2(31)SG2 | |
| 12.2SG | | 12.2(44)SG |
| | 12.2(37)SG1 | |
| | | |
| | 12.2(40)SG | |
|------------+-------------+-------------|
| | 12.2(31) | |
| | SGA2 | |
| | | |
| | 12.2(31) | |
| | SGA3 | 12.2(31) |
| 12.2SGA | | SGA5 |
| | 12.2(31) | |
| | SGA6; | |
| | Available | |
| | on | |
| | 07-APR-08 | |
|------------+-------------+-------------|
| 12.2SL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SM | 12.2(29)SM2 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SO | migrate to | 12.2(29)SVD |
| | any release | |
| | in 12.2SVA | |
|------------+-------------+-------------|
| 12.2SRA | 12.2(33) | 12.2(33) |
| | SRA4 | SRA7 |
|------------+-------------+-------------|
| | | 12.2(33) |
| | 12.2(33) | SRB3; |
| 12.2SRB | SRB1 | Available |
| | | on |
| | | 31-MAR-08 |
|------------+-------------+-------------|
| 12.2SRC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SU | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2SV | 12.2(29b)SV | 12.2(29b)SV |
|------------+-------------+-------------|
| 12.2SVA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SVC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SVD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SW | 12.2(25) | |
| | SW11 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SX | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXA | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXB | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXD | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXE | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | 12.2(18) | |
| | SXF10 | |
| | | |
| 12.2SXF | 12.2(18) | 12.2(18) |
| | SXF10a | SXF13 |
| | | |
| | 12.2(18) | |
| | SXF12a | |
|------------+-------------+-------------|
| 12.2SXH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SY | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | | 12.2(25)S15 |
| | Vulnerable; | |
| 12.2SZ | first fixed | 12.2(28) |
| | in 12.2S | SB12 |
| | | |
| | | 12.2(33)SRC |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2T | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2TPC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| | first fixed | |
| 12.2UZ | in 12.2SB; | 12.2(28) |
| | Available | SB12 |
| | on | |
| | 31-MAR-08 | |
|------------+-------------+-------------|
| 12.2XA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XI | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XJ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XN | 12.2(33)XN1 | 12.3(26) |
|------------+-------------+-------------|
| 12.2XO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XQ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XR | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XT | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YH | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YJ | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2YK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YL | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YM | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YN | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2YO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YP | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YQ | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YR | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2YS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YT | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YU | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YV | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2YW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YX | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2YY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | | 12.2(25)S15 |
| | Vulnerable; | |
| 12.2YZ | first fixed | 12.2(28) |
| | in 12.2S | SB12 |
| | | |
| | | 12.2(33)SRC |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2ZA | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| 12.2ZB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZC | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.2ZD | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZE | first fixed | 12.3(26) |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZF | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15)T4 |
| 12.2ZG | first fixed | |
| | in 12.3YG | 12.4(18a) |
|------------+-------------+-------------|
| 12.2ZH | 12.2(13)ZH9 | 12.2(13) |
| | | ZH11 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZJ | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15)T4 |
| 12.2ZL | first fixed | |
| | in 12.4 | 12.4(18a) |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZP | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZU | migrate to | 12.2(33) |
| | any release | SXH2 |
| | in 12.2SXH | |
|------------+-------------+-------------|
| 12.2ZY | 12.2(18)ZY1 | 12.2(18)ZY2 |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.3-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| | 12.3(17c) | |
| | | |
| | 12.3(18a) | |
| | | |
| | 12.3(19a) | |
| | | |
| 12.3 | 12.3(20a) | 12.3(26) |
| | | |
| | 12.3(21b) | |
| | | |
| | 12.3(22a) | |
| | | |
| | 12.3(23) | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3B | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | 12.3(17b) | |
| | BC8 | |
| | | |
| 12.3BC | 12.3(21a) | 12.3(23)BC1 |
| | BC2 | |
| | | |
| | 12.3(23)BC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3BW | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3EU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3JA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3JEA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3JEB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3JEC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.3(8)JK1 | |
| | are | |
| 12.3JK | vulnerable, | 12.3(8)JK1 |
| | release | |
| | 12.3(8)JK1 | |
| | and later | |
| | are not | |
| | vulnerable; | |
|------------+-------------+-------------|
| 12.3JL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3JX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3T | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3TPC | 12.3(4) | |
| | TPC11b | |
|------------+-------------+-------------|
| 12.3VA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | | 12.3(2)XA7; |
| 12.3XA | 12.3(2)XA6 | Available |
| | | on |
| | | 31-MAR-08 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XB | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.4(15)T4 |
| 12.3XC | 12.3(2)XC5 | |
| | | 12.4(18a) |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XD | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.4(15)T4 |
| 12.3XE | 12.3(2)XE5 | |
| | | 12.4(18a) |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XF | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15)T4 |
| 12.3XG | first fixed | |
| | in 12.3YG | 12.4(18a) |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XH | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3XI | 12.3(7) | |
| | XI10a | |
|------------+-------------+-------------|
| | Vulnerable; | 12.3(14) |
| 12.3XJ | first fixed | YX11 |
| | in 12.3YX | |
| | | 12.4(15)T4 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XK | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XQ | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | | 12.3(7)XR8; |
| 12.3XR | 12.3(7)XR7 | Available |
| | | on |
| | | 31-MAR-08 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XS | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XU | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.3(14) |
| 12.3XW | first fixed | YX11 |
| | in 12.3YX | |
| | | 12.4(15)T4 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3XY | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15)T4 |
| 12.3YA | first fixed | |
| | in 12.4 | 12.4(18a) |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YD | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | 12.3(14) |
| 12.3YF | first fixed | YX11 |
| | in 12.3YX | |
| | | 12.4(15)T4 |
|------------+-------------+-------------|
| 12.3YG | 12.3(8)YG6 | 12.4(15)T4 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YH | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YI | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YJ | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.3YK | 12.3(11)YK3 | 12.4(15)T4 |
|------------+-------------+-------------|
| 12.3YM | 12.3(14) | 12.3(14) |
| | YM10 | YM12 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YQ | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.3YS | 12.3(11)YS2 | 12.4(15)T4 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YT | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3YU | first fixed | |
| | in 12.4XB | |
|------------+-------------+-------------|
| 12.3YX | 12.3(14)YX9 | 12.3(14) |
| | | YX11 |
|------------+-------------+-------------|
| 12.3YZ | 12.3(11)YZ2 | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.4-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| | 12.4(10c) | |
| | | |
| | 12.4(12b) | |
| | | |
| | 12.4(13c) | |
| | | |
| | 12.4(16) | |
| | | |
| 12.4 | 12.4(17a) | 12.4(18a) |
| | | |
| | 12.4(3h) | |
| | | |
| | 12.4(5c) | |
| | | |
| | 12.4(7f) | |
| | | |
| | 12.4(8d) | |
|------------+-------------+-------------|
| 12.4JA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JMA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JMB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JMC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4JX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | | 12.4(15)MD; |
| 12.4MD | 12.4(11)MD1 | Available |
| | | on |
| | | 09-MAY-08 |
|------------+-------------+-------------|
| 12.4MR | 12.4(12)MR2 | 12.4(16)MR2 |
|------------+-------------+-------------|
| 12.4SW | 12.4(11)SW3 | 12.4(15)SW |
|------------+-------------+-------------|
| | 12.4(11)T3 | |
| | | |
| | 12.4(15)T | |
| | | |
| | 12.4(2)T6 | |
| 12.4T | | 12.4(15)T4 |
| | 12.4(4)T8 | |
| | | |
| | 12.4(6)T8 | |
| | | |
| | 12.4(9)T4 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XA | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.4XB | 12.4(2)XB6 | |
|------------+-------------+-------------|
| 12.4XC | 12.4(4)XC7 | |
|------------+-------------+-------------|
| 12.4XD | 12.4(4)XD8 | 12.4(4)XD10 |
|------------+-------------+-------------|
| 12.4XE | 12.4(6)XE2 | 12.4(15)T4 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XF | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.4XG | 12.4(9)XG2 | 12.4(9)XG2 |
|------------+-------------+-------------|
| 12.4XJ | 12.4(11)XJ4 | 12.4(15)T4 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.4XK | first fixed | 12.4(15)T4 |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.4XL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XN | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XT | 12.4(6)XT1 | 12.4(6)XT2 |
|------------+-------------+-------------|
| 12.4XV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.4XY | Not | |
| | Vulnerable | |
+----------------------------------------+
Workarounds
===========
The workaround for this vulnerability consists of filtering MDT Data
Join packets on the PE device.
The workarounds need to be applied on all Virtual Routing and
Forwarding (VRF) interfaces of all PE routers. Otherwise, attackers
can target remote PE routers and can still exploit this
vulnerability.
Even if only one PE router in the network runs an unfixed version of
IOS code, it is vulnerable to packets that come from systems that are
connected to remote PE routers. In such a case, workarounds need to
be deployed on all PE routers to successfully mitigate this
vulnerability.
The "mdt data <group> <mask>" or "mdt data <group> <mask> threshold
<n> list <acl>" commands do not mitigate this vulnerability.
Filtering Packets to UDP Port 3232
+---------------------------------
MDT Data Join messages are sent to UDP port 3232. Creating an
access-list that filters destination UDP port 3232 and applying it on
the VRF interface of the PE router mitigates this vulnerability. Such
an access-list looks like this:
access-list 100 deny udp any any eq 3232
access-list 100 permit ip any any
interface Serial 0/0
ip vrf forwarding <vpn-1>
...
ip access-group 100 in
Note that this access-list can also filter legitimate traffic that is
destined to UDP port 3232. In such a case, the access-list can be
modified to be more specific by providing individual BGP peer IP
addresses. This is explained in the section that follows.
Filtering BGP Peer IP Addresses on the VRF Interface
+---------------------------------------------------
In order to successfully exploit this vulnerability, an attacker
needs to send MDT Data Join messages by spoofing the packets from the
IP address of one of the existing iBGP peers. Because MDT Data Join
messages are only used between PE routers, the packets from CE
devices can safely be filtered.
Creating an access-list that filters iBGP peer IP addresses as source
addresses and applying it on the VRF interface of the PE router
mitigates this vulnerability. The access-list needs to filter all
iBGP peer IP addresses. Such an access-list looks like this example:
access-list 100 deny udp host <ibgp-peer-1> any eq 3232
access-list 100 deny udp host <ibgp-peer-2> any eq 3232
...
access-list 100 deny udp host <ibgp-peer-n> any eq 3232
access-list 100 permit ip any any
interface Serial 0/0
ip vrf forwarding <vpn-1>
...
ip access-group 100 in
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080326-mvpn.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.ht…
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by Thomas Morin.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce(a)cisco.com
* first-teams(a)first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
* comp.dcom.sys.cisco(a)newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-March-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.….
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEUEARECAAYFAkfqWfwACgkQ86n/Gc8U/uDwygCghFemh82anp21b8nnqugVl/3Z
ptIAl0w37xapJqVitZ1ElGFfiVY23Sg=
=i4no
-----END PGP SIGNATURE-----
14 years, 3 months
- 1
- 0
Cisco Security Advisory: Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability
by Cisco Systems Product Security Incident Response Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Virtual Private Dial-up Network
Denial of Service Vulnerability
Advisory ID: cisco-sa-20080326-pptp
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
Revision 1.0
For Public Release 2008 March 26 1600 UTC (GMT)
Summary
=======
Two vulnerabilities exist in the virtual private dial-up network
(VPDN) solution when Point-to-Point Tunneling Protocol (PPTP) is used
in certain Cisco IOS releases prior to 12.3. PPTP is only one of the
supported tunneling protocols used to tunnel PPP frames within the
VPDN solution.
The first vulnerability is a memory leak that occurs as a result of
PPTP session termination. The second vulnerability may consume all
interface descriptor blocks on the affected device because those
devices will not reuse virtual access interfaces. If these
vulnerabilities are repeatedly exploited, the memory and/or interface
resources of the attacked device may be depleted.
Cisco has made free software available to address these vulnerabilities
for affected customers.
There are no workarounds available to mitigate the effects of these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
Note: The March 26, 2008 publication includes five security
advisories. The advisories all address vulnerabilities in Cisco's
Internetwork Operating System (IOS) software. Each advisory lists the
releases that correct the vulnerability described in the advisory,
and also lists the releases that correct the vulnerabilities in the
other five advisories. Please reference the following software table
to find a release that fixes all published software advisories as of
March 26th, 2008:
* March 26th Bundled IOS Advisory Table
http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml
Individual publication links are listed below:
* Cisco IOS Virtual Private Dial-up Network Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
* Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
* Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6
Dual-stack Routers
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
* Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor
32, Supervisor 720, or Route Switch Processor 720
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
* Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
Affected Products
=================
Devices that are running certain Cisco IOS versions prior to 12.3
with VPDN enabled may be affected by these vulnerabilities.
Vulnerable Products
+------------------
Devices that are running affected versions of Cisco IOS with VPDN
enabled and are configured to accept termination of PPTP sessions are
vulnerable.
To determine whether VPDN is enabled on your device, log in to the
device and issue the command-line interface (CLI) command "show
running-config". If the output contains "vpdn enable" along with a
"vpdn-group <name>" command, VPDN is enabled on the device. The device
will accept termination of PPTP sessions if the command "protocol any"
or "protocol pptp" is defined under the "vpdn-group <name>" command.
The following example shows a device that is running VPDN and will
accept termination of PPTP sessions:
Router#show running-config
Building configuration...
!
!--- Output truncated.
!
vpdn enable
!
vpdn-group test_only
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!---Remaining output truncated.
To determine the software version running on a Cisco product, log in
to the device and issue the "show version" command to display the
system banner. Cisco IOS software will identify itself as
"Internetwork Operating System Software" or simply "IOS." On the next
line of output, the image name will be displayed between parentheses,
followed by "Version" and the IOS release name. Other Cisco devices
will not have the "show version" command or will give different output.
The following example identifies a Cisco product that is running
Cisco IOS release 12.2(7):
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(7), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Tue 15-Jan-02 18:31 by pwade
Image text-base: 0x600089C0, data-base: 0x613A6000
Additional information about Cisco IOS release naming can be found at
http://www.cisco.com/warp/public/620/1.html.
Products Confirmed Not Vulnerable
+--------------------------------
Devices that are running Cisco IOS versions 12.3 and later are not
affected by these vulnerabilities. Devices that are explicitly
configured for VPDN protocols other than PPTP are not affected.
Devices that are running Cisco IOS versions prior to 12.3 and do not
have VPDN enabled are not affected by these vulnerabilities.
Cisco IOS XR is not affected by these vulnerabilities.
Details
=======
VPDNs securely carry private data over a public network, allowing
remote users to access a private network over a shared infrastructure
such as the Internet. VPDNs maintain the same security and management
policies as a private network, while providing a cost-effective
method for point-to-point connections between remote users and a
central network.
PPTP is a network protocol that enables the secure transfer of data
from a remote client to a private enterprise server by creating a
VPDN across TCP/IP-based data networks. PPTP supports on-demand,
multiprotocol, virtual private networking over public networks, such
as the Internet.
Details regarding the two known vulnerabilities in Cisco IOS devices
that are running affected versions of system software follow:
* Memory Leak due to PPTP Session Termination
Upon completion of a PPTP session, memory is leaked from the
processor memory on the terminating device. This is shown in the
output of "show process memory" under the *Dead* process. The
*Dead* process is not a real process. Its function is to account
for the memory that is allocated under the context of another
process which has terminated, in this case PPTP. When the
administrator is logged into the device, if the device is under
exploitation, the Holding entry of the *Dead* process under the
"show process memory" command will be increasing. Following is
an example showing a device that is holding *Dead* memory:
Router#show process memory
Total: 199718560, Used: 11147828, Free: 188570732
PID TTY Allocated Freed Holding Getbufs Retbufs Process
0 0 99812 1848 8415816 0 0 *Init*
0 0 444 778840 444 0 0 *Sched*
0 0 17481700 4930848 819672 180908 0 *Dead*
1 0 284 284 3828 0 0 Load Meter
!--- Output truncated.
The CLI command "show memory dead" allows administrators to examine
the contents of *Dead*. The output will display many occurrences
of PPTP in the output if the PPTP process is causing the leak.
The following example shows the dead memory for a device that has
been exploited by the vulnerability
Router#show memory dead
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor 6225FF40 224002240 11906736 212095504 212082872 212084464
I/O 20000000 33554440 994136 32560304 32560304 32560252
I/O-2 F800000 8388616 1020632 7367984 7367984 7367932
Processor memory
Address Bytes Prev Next Ref PrevF NextF Alloc PC what
62275DC8 0000000048 62275D68 62275E24 001 ------- ------- 60654230 PPTP create idb
62275E24 0000000052 62275DC8 62275E84 001 ------- ------- 60654230 PPTP create idb
62275E84 0000000052 62275E24 62275EE4 001 ------- ------- 60654230 PPTP create idb
....
!--- remaining output truncated.
This vulnerability is documented in Cisco bug ID CSCsj58566
and Common Vulnerabilities and Exposures (CVE) identifier
CVE-2008-1151 has been assigned to this vulnerability.
* Virtual Access Interfaces Are Not Re-used
Upon completion of a PPTP session, affected devices do not remove
the virtual access interface that is associated with the PPTP
session and do not reuse the interfaces in any future
connections.
This situation can result in an exhaustion of the interface
descriptor block (IDB) limit, which will prevent any new
interfaces being created within Cisco IOS, effectively blocking
all new VPDN connections, even though the router may still have
enough processor memory to remain up and running. A reload of the
device is required to remove the interfaces.
An IDB is a Cisco IOS internal data structure that contains
information such as the IP address, interface state, and packet
statistics. Cisco IOS software maintains one IDB for each
interface present on a platform and one IDB for each
subinterface.
Further documentation on Cisco IOS IDBs can be found at:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09…
This vulnerability is documented in Cisco bug ID CSCdv59309
and Common Vulnerabilities and Exposures (CVE) identifier
CVE-2008-1150 has been assigned to this vulnerability.
Vulnerability Scoring Details
=============================
Cisco is providing scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
Cisco will provide a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
CVSS is a standards based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsj58566 - Memory Leak due to PPTP Session Termination
CVSS Base Score - 7.1
Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
CVSS Temporal Score - 5.9
Exploitability: Functional
Remediation Level: Official-Fix
Report Confidence: Confirmed
CSCdv59309 - Virtual Access Interfaces Are Not Re-used
CVSS Base Score - 4.3
Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Partial
CVSS Temporal Score - 3.6
Exploitability: Functional
Remediation Level: Official-Fix
Report Confidence: Confirmed
Impact
======
Successful exploitation of the vulnerability may result in a memory
leak of processor memory or consumption of all available IDBs on the
device. With continued exploitation, the device will deplete its
processor memory or reach an IDB limit. Both impacts would result in
a denial of service condition for the device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+----------------------------------------+
| Major | Availability of Repaired |
| Release | Releases |
|------------+---------------------------|
| Affected | First Fixed | Recommended |
| 12.0-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| 12.0 | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0DA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0DB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0DC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0S | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0SC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0SL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0SP | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0ST | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0SX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0SY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0SZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0T | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0W | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0WC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0WT | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.0(7)XE2 | |
| | are | |
| 12.0XE | vulnerable, | |
| | release | |
| | 12.0(7)XE2 | |
| | and later | |
| | are not | |
| | vulnerable; | |
|------------+-------------+-------------|
| 12.0XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XI | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XJ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XN | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XQ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XR | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.0XW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.1-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| 12.1 | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1AA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1AX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.1(22)AY1 | |
| | are | |
| 12.1AY | vulnerable, | 12.1(22) |
| | release | EA11 |
| | 12.1(22)AY1 | |
| | and later | |
| | are not | |
| | vulnerable; | |
|------------+-------------+-------------|
| 12.1AZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1CX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1DA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1DB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1DC | first fixed | 12.4(18a) |
| | in 12.2B | |
|------------+-------------+-------------|
| 12.1E | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.1(11)EA1 | |
| | are | |
| 12.1EA | vulnerable, | 12.1(22) |
| | release | EA11 |
| | 12.1(11)EA1 | |
| | and later | |
| | are not | |
| | vulnerable; | |
|------------+-------------+-------------|
| 12.1EB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1EC | first fixed | 12.3(23)BC1 |
| | in 12.2BC | |
|------------+-------------+-------------|
| 12.1EO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EX | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.1EY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1EZ | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.1GA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1GB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1T | migrate to | 12.3(26) |
| | any release | |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1XA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XI | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XJ | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| 12.1XK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XL | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XM | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| 12.1XN | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XP | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XQ | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XR | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XS | migrate to | 12.3(26) |
| | any release | |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XT | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| 12.1XU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XV | first fixed | 12.3(26) |
| | in 12.2XB | |
|------------+-------------+-------------|
| 12.1XW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1XX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1XY | migrate to | 12.3(26) |
| | any release | |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.1XZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YA | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YB | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YC | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YD | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.1(5)YE6 | |
| | are | |
| | vulnerable, | |
| 12.1YE | release | 12.3(26) |
| | 12.1(5)YE6 | |
| | and later | |
| | are not | |
| | vulnerable; | |
| | first fixed | |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YF | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| 12.1YG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.1YH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.1YI | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| 12.1YJ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.2-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2 | migrate to | 12.3(26) |
| | any release | |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2B | 12.2(4)B5 | 12.4(18a) |
|------------+-------------+-------------|
| | 12.2(15) | |
| | BC1e | |
| | | |
| 12.2BC | 12.2(15) | 12.3(23)BC1 |
| | BC2d | |
| | | |
| | 12.2(8)BC1 | |
|------------+-------------+-------------|
| | 12.2(4)BW1 | |
| 12.2BW | | 12.3(26) |
| | 12.2(4)BW1a | |
|------------+-------------+-------------|
| 12.2BY | 12.2(8)BY | 12.4(18a) |
|------------+-------------+-------------|
| 12.2BZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2CX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2CY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2CZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2DA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2DD | first fixed | 12.4(18a) |
| | in 12.2B | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2DX | first fixed | 12.4(18a) |
| | in 12.2B | |
|------------+-------------+-------------|
| 12.2EU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EWA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2FX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2FY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2FZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2IXA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2IXB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2IXC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2IXD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2IXE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2JA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2JK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2MB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2MC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.2(18)S | |
| | are | |
| | vulnerable, | |
| | release | |
| 12.2S | 12.2(18)S | 12.2(25)S15 |
| | and later | |
| | are not | |
| | vulnerable; | |
| | migrate to | |
| | any release | |
| | in 12.2SRC | |
|------------+-------------+-------------|
| 12.2SB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SBC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SCA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SED | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SGA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SRA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SRB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SRC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SU | migrate to | 12.4(18a) |
| | any release | |
| | in 12.3T | |
|------------+-------------+-------------|
| 12.2SV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SVA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SVC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SVD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Releases | |
| | prior to | |
| | 12.2(17a)SX | |
| | are | |
| | vulnerable, | |
| | release | 12.2(18) |
| 12.2SX | 12.2(17a)SX | SXF13 |
| | and later | |
| | are not | |
| | vulnerable; | |
| | migrate to | |
| | any release | |
| | in 12.2SXF | |
|------------+-------------+-------------|
| 12.2SXA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SXB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SXD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SXE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SXF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SXH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SY | migrate to | 12.2(18) |
| | any release | SXF13 |
| | in 12.2SXB | |
|------------+-------------+-------------|
| | | 12.2(25)S15 |
| | Vulnerable; | |
| 12.2SZ | migrate to | 12.2(28) |
| | any release | SB12 |
| | in 12.2SRC | |
| | | 12.2(33)SRC |
|------------+-------------+-------------|
| | 12.2(15)T4e | |
| 12.2T | | 12.3(26) |
| | 12.2(8)T | |
|------------+-------------+-------------|
| 12.2TPC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2UZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XA | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| 12.2XB | 12.2(2)XB5 | 12.3(26) |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XC | migrate to | 12.4(18a) |
| | any release | |
| | in 12.3T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XD | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XE | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XF | first fixed | 12.3(23)BC1 |
| | in 12.2BC | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XG | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XH | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XI | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XJ | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XK | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| 12.2XL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XN | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XQ | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| 12.2XR | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XS | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XT | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XU | migrate to | 12.3(26) |
| | any release | |
| | in 12.3 | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2XV | migrate to | 12.3(26) |
| | any release | |
| | in 12.3 | |
|------------+-------------+-------------|
| 12.2XW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YC | first fixed | 12.3(26) |
| | in 12.2T | |
|------------+-------------+-------------|
| 12.2YD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | | 12.2(25)S15 |
| | Vulnerable; | |
| 12.2YE | migrate to | 12.2(28) |
| | any release | SB12 |
| | in 12.2SRC | |
| | | 12.2(33)SRC |
|------------+-------------+-------------|
| 12.2YF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YJ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YN | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YO | migrate to | 12.2(18) |
| | any release | SXF13 |
| | in 12.2SXB | |
|------------+-------------+-------------|
| 12.2YP | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YQ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YR | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YT | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2YX | migrate to | 12.4(18a) |
| | any release | |
| | in 12.3T | |
|------------+-------------+-------------|
| 12.2YY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | | 12.2(25)S15 |
| | Vulnerable; | |
| 12.2YZ | migrate to | 12.2(28) |
| | any release | SB12 |
| | in 12.2SRC | |
| | | 12.2(33)SRC |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZA | migrate to | 12.2(18) |
| | any release | SXF13 |
| | in 12.2SXB | |
|------------+-------------+-------------|
| 12.2ZB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZJ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZP | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.3-Based | Release | Release |
| Releases | | |
|----------------------------------------|
| There are no affected 12.3 based |
| releases |
|----------------------------------------|
| Affected | First Fixed | Recommended |
| 12.4-Based | Release | Release |
| Releases | | |
|----------------------------------------|
| There are no affected 12.4 based |
| releases |
+----------------------------------------+
Workarounds
===========
There are no workarounds for this vulnerability. Cisco recommends
upgrading to the fixed version of Cisco IOS.
Obtaining Fixed Software
========================
Cisco will make free software available to address this vulnerability
for affected customers. This advisory will be updated as fixed
software becomes available. Prior to deploying software, customers
should consult their maintenance provider or check the software for
feature set compatibility and known issues specific to their
environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/public/sw-license-agreement.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact either "psirt(a)cisco.com" or "security-alert(a)cisco.com"
for software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreement with third-party support organizations
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party
vendors but are unsuccessful at obtaining fixed software through
their point of sale should get their upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the
TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
We would like to thank Martin Kluge of Elxsi Security for reporting
these vulnerabilities to us. We greatly appreciate the opportunity to
work with researchers on security vulnerabilities, and welcome the
opportunity to review and assist with security vulnerability reports
against Cisco products.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20080206-pptp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce(a)cisco.com
* first-teams(a)first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
* comp.dcom.sys.cisco(a)newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-March-26 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkfqTdMACgkQ86n/Gc8U/uBf1wCdEyVVCfrw98IoEeZshHo6pyDu
3MwAoJuSF26Yz83ZdOc/23SiXDy1drER
=U8Nj
-----END PGP SIGNATURE-----
14 years, 3 months
- 1
- 0
Cisco Security Advisory: Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch Processor 720
by Cisco Systems Product Security Incident Response Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Vulnerability in Cisco IOS with OSPF, MPLS
VPN, and Supervisor 32, Supervisor 720, or
Route Switch Processor 720
Advisory ID: cisco-sa-20080326-queue
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
Revision 1.0
For Public Release 2008 March 26 1600 UTC (GMT)
Summary
=======
Certain Cisco Catalyst 6500 Series and Cisco 7600 Router devices that
run branches of Cisco IOS based on 12.2 can be vulnerable to a denial
of service vulnerability that can prevent any traffic from entering
an affected interface. For a device to be vulnerable, it must be
configured for Open Shortest Path First (OSPF) Sham-Link and Multi
Protocol Label Switching (MPLS) Virtual Private Networking (VPN).
This vulnerability only affects Cisco Catalyst 6500 Series or
Catalyst 7600 Series devices with the Supervisor Engine 32 (Sup32),
Supervisor Engine 720 (Sup720) or Route Switch Processor 720 (RSP720)
modules. The Supervisor 32, Supervisor 720, Supervisor 720-3B,
Supervisor 720-3BXL, Route Switch Processor 720, Route Switch
Processor 720-3C, and Route Switch Processor 720-3CXL are all
potentially vulnerable.
The OSPF and MPLS VPNs are not enabled by default.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
Note: The March 26, 2008 publication includes five Security
Advisories. The Advisories all affect Cisco IOS. Each Advisory lists
the releases that correct the vulnerability described in the
Advisory, and the Advisories also detail the releases that correct
the vulnerabilities in all five Advisories. Please reference the
following software table to find a release which fixes all published
Security Advisories as of March 26th, 2008.
* March 26th bundled IOS Advisory Table
http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml
Individual publication links are listed below:
* Cisco IOS Virtual Private Dial-up Network Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
* Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
* Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6
Dual-stack Routers
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
* Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor
32, Supervisor 720, or Route Switch Processor 720
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
* Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
Affected Products
================
Vulnerable Products
+------------------
All Cisco products based on the Supervisor Engine 32 (Sup32),
Supervisor Engine 720 (Sup720) or Route Switch Processor 720 (RSP720)
are potentially vulnerable. Cisco Sup720 and RSP720 products have
support for daughter cards that enhance their functionality. These
daughter cards attach directly to the Sup720 or RSP720 and have names
like PFC-3B, PFC-3BXL, PFC-3C, and PFC-3CXL. The product number of
the Sup720 or RSP720 can change to reflect the daughter card that is
installed, such as RSP720-3CXL.
Because the vulnerability affects the Sup720 and RSP720, all versions
of the Sup720 or RSP720 are vulnerable, regardless of the daughter
card that is installed.
* Cisco Catalyst 6500 Series devices with the Sup32, Sup720,
Sup720-3B, or Sup720-3BXL
* Cisco 7600 Series devices with the Sup32, Sup720, Sup720-3B, or
Sup720-3BXL
* Cisco 7600 Series devices with the RSP720, RSP720-3C, or
RSP720-3CXL
* Cisco ME 6524 Ethernet Switch
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by this
vulnerability.
Cisco Bug ID CSCsf12082 was integrated into additional IOS releases
that do not run on the vulnerable hardware, but only the platforms
mentioned in the Vulnerable Products section above are affected by
this vulnerability.
Details
=======
Vulnerable Cisco devices, when configured for Multi Protocol Label
Switching (MPLS) Virtual Private Networking (VPN) and Open Shortest
Path First (OSPF) sham-link, can suffer from a blocked queue,
memory leak and/or restart of the device
This vulnerability is documented in Cisco bug ID CSCsf12082, and has
been assigned CVE ID CVE-2008-0057.
The following combination of hardware and software configuration must
be present for the device to be vulnerable:
* Cisco Catalyst Sup32, Sup720, or RSP720 is present
* MPLS VPN is configured
* OSPF sham-link is configured
In order to determine whether you are running this feature, use the
show running-config command and search for the address-family vpnv4
and area sham-link router configuration commands. The following
command displays all configuration lines that meet the following
criteria:
* Begins with the word "router," OR
* Includes "address-family vpnv4," OR
* Includes "sham-link"
Router# show run | include ^router |address-family vpnv4|sham-link
router bgp 1
address-family vpnv4
router ospf 1 vrf VRFNAME
area 0 sham-link 192.168.1.1 192.168.100.1
Router#
For customers that run versions of IOS that support the section
modifier, an additional option is available to view the relevant
sections of the running configuration:
Router# show run | section ^router
router bgp 1
[snip]
address-family vpnv4
router ospf 1 vrf VRFNAME
area 0 sham-link 192.168.1.1 192.168.100.1
[snip]
If certain packets are received by a device that meets the above
requirements, the input queue of the interface that receives these
packets can become blocked, which can prohibit additional traffic
from entering the interface and cause a denial of service condition.
In addition to a potential blocked interface queue, the device can
also suffer a memory leak or restart. In the event of a memory leak,
the device is unable to forward traffic once available memory is
depleted.
For more information on MPLS VPNs, please reference the following
document:
http://www.cisco.com/en/US/docs/net_mgmt/vpn_solutions_center/1.1/user/guid…
For more information on OSPF sham-links, please reference the
following document:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ospfshmk.html
Identifying a Memory Leak
+------------------------
This vulnerability can manifest as a leak in the I/O memory pool. The
following is an example of a system message that indicates an
exhaustion of the I/O pool:
006029: Aug 10: %SYS-2-MALLOCFAIL: Memory allocation of 808 bytes failed from 0x41613238, alignment 32
Pool: I/O Free: 176 Cause: Not enough free memory
Alternate Pool: None Free: 0 Cause: No Alternate pool
Note that in the above output, the affected memory pool is Pool: I/O,
and the cause is Cause: Not enough free memory. This output indicates
that the I/O memory pool has been exhausted.
Additionally, a user with enable-level access can check the device
through the show buffers command to identify buffer allocation
failures.
Router#show buffers
Buffer elements:
496 in free list (500 max allowed)
77298300 hits, 0 misses, 0 created
Public buffer pools:
Small buffers, 104 bytes (total 148654, permanent 1024, peak 148654 @ 1d12h):
0 in free list (128 min, 2048 max allowed)
24688031 hits, 4023203 misses, 0 trims, 147630 created
3243434 failures (3182828 no memory)
The above output shows that buffer allocation failed due to
insufficient memory.
Identifying a Blocked Interface
+------------------------------
A symptom of this type of blocked queue is the failure of
control-plane protocols such as routing protocols (OSPF, Enhanced
Interior Gateway Routing Protocol (EIGRP), Border Gateway Protocol
(BGP), Intermediate System to Intermediate System (ISIS), etc.) and
MPLS TDP/LDP to properly establish connections over an affected
interface.
In order to identify a blocked input interface, issue the show
interfaces command, and search for the Input Queue line. The size of
the input queue can continue to increase. If the current size, which
is 76 in the example below, is larger than the maximum size (75), the
input queue is blocked.
It is possible that a device receives a high rate of traffic destined
to the control plane, and the full queue is only a transient event.
In order to verify if the interface is actually blocked, shut down
the interface with the shutdown interface configuration command and
examine the input queue. If the input queue does not display 0
packets, the interface is blocked.
Router#show interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0050.500e.f1e0 (bia 0050.500e.f1e0)
Internet address is 172.16.1.9/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:41, output 00:00:07, output hang never
Last clearing of "show interface" counters 00:07:18
Input queue: 76/75/1091/0 (size/max/drops/flushes); Total output drops: 0
!--- The 76/75 shows that this is blocked
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
Version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsf12082 - SUP720 facing small buffer leak and crashes
CVSS Base Score - 7.8
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
CVSS Temporal Score - 6.1
Exploitability: Proof-of-Concept
Remediation Level: Official-Fix
Report Confidence: Confirmed
Impact
======
Exploitation of this vulnerability may result in a blocked interface
input queue, memory leak, and/or restart of the device. Repeated
exploitation of this vulnerability may result in an extended denial
of service.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+----------------------------------------+
| Major | Availability of Repaired |
| Release | Releases |
|------------+---------------------------|
| Affected | First Fixed | Recommended |
| 12.0-Based | Release | Release |
| Releases | | |
|----------------------------------------|
| There are no affected 12.0 based |
| releases |
|----------------------------------------|
| Affected | First Fixed | Recommended |
| 12.1-Based | Release | Release |
| Releases | | |
|----------------------------------------|
| There are no affected 12.1 based |
| releases |
|----------------------------------------|
| Affected | First Fixed | Recommended |
| 12.2-Based | Release | Release |
| Releases | | |
|------------+-------------+-------------|
| 12.2 | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2B | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2BC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2BW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2BY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2BZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2CX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2CY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2CZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2DA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2DD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2DX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EWA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2EZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2FX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2FY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2FZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2IXA | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXB | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXC | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| 12.2IXD | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| | migrate to | IXF; |
| 12.2IXE | any release | Available |
| | in 12.2IXF | on |
| | | 31-MAR-2008 |
|------------+-------------+-------------|
| 12.2JA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2JK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2MB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2MC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2S | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SBC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SCA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SED | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SEG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SGA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SRA | 12.2(33) | 12.2(33) |
| | SRA4 | SRA7 |
|------------+-------------+-------------|
| 12.2SRB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SRC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SVA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SVC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SVD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXA | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXB | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXD | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| | Vulnerable; | 12.2(18) |
| 12.2SXE | first fixed | SXF13 |
| | in 12.2SXF | |
|------------+-------------+-------------|
| 12.2SXF | 12.2(18) | 12.2(18) |
| | SXF6 | SXF13 |
|------------+-------------+-------------|
| 12.2SXH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2T | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2TPC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2UZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XI | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XJ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XN | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XQ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XR | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XT | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2XW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YJ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YK | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YM | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YN | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YO | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YP | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YQ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YR | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YS | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YT | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YU | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YW | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2YZ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZA | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZB | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZD | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZE | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZF | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZG | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZH | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZJ | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZL | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2ZP | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2ZU | migrate to | 12.2(33) |
| | any release | SXH2 |
| | in 12.2SXH | |
|------------+-------------+-------------|
| 12.2ZY | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| Affected | First Fixed | Recommended |
| 12.3-Based | Release | Release |
| Releases | | |
|----------------------------------------|
| There are no affected 12.3 based |
| releases |
|----------------------------------------|
| Affected | First Fixed | Recommended |
| 12.4-Based | Release | Release |
| Releases | | |
|----------------------------------------|
| There are no affected 12.4 based |
| releases |
+----------------------------------------+
Workarounds
===========
Once a device interface queue has been exhausted, only a device
restart can clear OSPF packets in the blocked queue.
Due to the manner in which these packets are processed, the queue
block occurs prior to the OSPF MD5 check. The OSPF MD5 configuration
does not protect a device from this vulnerability.
Increasing the Selective Packet Discard (SPD) Headroom
+-----------------------------------------------------
At the most basic level, the Selective Packet Discard (SPD) provides
extended buffering for control plane traffic. Known as the SPD
headroom, this additional queue depth is typically reserved for
traffic with IP Precedence equal to 6 (such as BGP), the
Connectionless Network Service (CLNS) based routing protocol
Intermediate System-to-Intermediate System (IS-IS), OSPF, and Layer 2
keepalives.
Increasing the SPD headroom provides additional buffering for OSPF
packets. In the event of a blocked queue, the SPD headroom can be
increased to allow more control plane traffic buffer space.
More information on SPD can be found in the following white paper:
http://www.cisco.com/web/about/security/intelligence/spd.html
It is possible to expand the queue size to accommodate more packets,
but packets can still accumulate until the expanded queue is
exhausted. As a temporary workaround that allows traffic to continue
to flow, the input hold queue can be increased. Any additional
malformed packets still fill the queue, but increasing the input
queue depth can extend the amount of time before the input queue
fills and traffic ceases flowing. The following example demonstrates
how to set the input queue size from the default of 75 to the maximum
of 4096:
Router# configure terminal
Router(configure)# interface FastEthernet 0/0
Router(config-if)# hold-queue 4096 in
Removing OSPF Sham-Link Configuration
+------------------------------------
Because OSPF Sham-Link configuration is required for the
vulnerability to be present, removing Sham-Link functionality
eliminates exposure to this vulnerability. In order to remove the
OSPF Sham-Link configuration from a device, the OSPF configuration
must be changed on each interface where Sham-Link is configured.
For configuration information on OSPF Sham-Link, please consult the
following document:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ospfshmk.html
Cisco IOS Embedded Event Manager
+-------------------------------
Cisco IOS Embedded Event Manager (EEM) provides event detection and
reaction capabilities on a Cisco IOS device. It is possible to detect
blocked interface queues with an EEM policy. EEM can alert
administrators of blocked interfaces with email, a syslog message, or
a Simple Network Management Protocol (SNMP) trap.
A sample EEM policy that uses syslog to alert administrators of
blocked interfaces is available at Cisco Beyond, an online community
dedicated to EEM. A sample script is available at the following link:
http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=981
More information about EEM is available from Cisco.com at the
following link:
http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home…
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.ht…
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by a customer.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce(a)cisco.com
* first-teams(a)first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
* comp.dcom.sys.cisco(a)newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-March-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.….
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkfqb/IACgkQ86n/Gc8U/uDSVQCcD/eTXkZUyMzZERQXt+d9DhGD
dKgAnjQ+Gsmkh4/x1l5K8q2E9QKUJN1d
=xTuf
-----END PGP SIGNATURE-----
14 years, 3 months
- 1
- 0
Weekly Routing Table Report
by Routing Analysis Role Account
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.
Daily listings are sent to bgp-stats(a)lists.apnic.net
For historical data, please see http://thyme.apnic.net.
If you have any comments please contact Philip Smith <pfs(a)cisco.com>.
Routing Table Report 04:00 +10GMT Sat 22 Mar, 2008
Report Website: http://thyme.apnic.net
Detailed Analysis: http://thyme.apnic.net/current/
Analysis Summary
----------------
BGP routing table entries examined: 249926
Prefixes after maximum aggregation: 125708
Deaggregation factor: 1.99
Unique aggregates announced to Internet: 121435
Total ASes present in the Internet Routing Table: 27716
Prefixes per ASN: 9.02
Origin-only ASes present in the Internet Routing Table: 24163
Origin ASes announcing only one prefix: 11205
Transit ASes present in the Internet Routing Table: 3553
Transit-only ASes present in the Internet Routing Table: 76
Average AS path length visible in the Internet Routing Table: 3.6
Max AS path length visible: 18
Max AS path prepend of ASN (43380) 13
Prefixes from unregistered ASNs in the Routing Table: 25270
Unregistered ASNs in the Routing Table: 1928
Number of 32-bit ASNs allocated by the RIRs: 46
Prefixes from 32-bit ASNs in the Routing Table: 8
Special use prefixes present in the Routing Table: 0
Prefixes being announced from unallocated address space: 874
Number of addresses announced to Internet: 1847560448
Equivalent to 110 /8s, 31 /16s and 137 /24s
Percentage of available address space announced: 49.8
Percentage of allocated address space announced: 61.2
Percentage of available address space allocated: 81.4
Percentage of address space in use by end-sites: 71.0
Total number of prefixes smaller than registry allocations: 118974
APNIC Region Analysis Summary
-----------------------------
Prefixes being announced by APNIC Region ASes: 42273
Total APNIC prefixes after maximum aggregation: 13276
APNIC Deaggregation factor: 3.18
Prefixes being announced from the APNIC address blocks: 54431
Unique aggregates announced from the APNIC address blocks: 23158
APNIC Region origin ASes present in the Internet Routing Table: 1905
APNIC Prefixes per ASN: 28.57
APNIC Region origin ASes announcing only one prefix: 553
APNIC Region transit ASes present in the Internet Routing Table: 348
Average APNIC Region AS path length visible: 3.6
Max APNIC Region AS path length visible: 16
Number of APNIC addresses announced to Internet: 336420960
Equivalent to 20 /8s, 13 /16s and 96 /24s
Percentage of available APNIC address space announced: 77.1
APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079
APNIC Address Blocks 58/8, 59/8, 60/8, 61/8, 114/8, 115/8, 116/8,
117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8,
124/8, 125/8, 126/8, 202/8, 203/8, 210/8, 211/8,
218/8, 219/8, 220/8, 221/8, 222/8,
ARIN Region Analysis Summary
----------------------------
Prefixes being announced by ARIN Region ASes: 106628
Total ARIN prefixes after maximum aggregation: 58657
ARIN Deaggregation factor: 1.82
Prefixes being announced from the ARIN address blocks: 85319
Unique aggregates announced from the ARIN address blocks: 33814
ARIN Region origin ASes present in the Internet Routing Table: 11645
ARIN Prefixes per ASN: 7.33
ARIN Region origin ASes announcing only one prefix: 4517
ARIN Region transit ASes present in the Internet Routing Table: 1035
Average ARIN Region AS path length visible: 3.4
Max ARIN Region AS path length visible: 15
Number of ARIN addresses announced to Internet: 360305408
Equivalent to 21 /8s, 121 /16s and 211 /24s
Percentage of available ARIN address space announced: 74.1
ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106
(pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153
3354-4607, 4865-5119, 5632-6655, 6912-7466
7723-8191, 10240-12287, 13312-15359, 16384-17407
18432-20479, 21504-23551, 25600-26591,
26624-27647, 29696-30719, 31744-33791
35840-36863, 39936-40959
ARIN Address Blocks 24/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8,
69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8,
76/8, 96/8, 97/8, 98/8, 99/8, 173/8, 174/8,
199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8,
216/8,
RIPE Region Analysis Summary
----------------------------
Prefixes being announced by RIPE Region ASes: 53063
Total RIPE prefixes after maximum aggregation: 32987
RIPE Deaggregation factor: 1.61
Prefixes being announced from the RIPE address blocks: 48596
Unique aggregates announced from the RIPE address blocks: 32653
RIPE Region origin ASes present in the Internet Routing Table: 11060
RIPE Prefixes per ASN: 4.39
RIPE Region origin ASes announcing only one prefix: 5776
RIPE Region transit ASes present in the Internet Routing Table: 1682
Average RIPE Region AS path length visible: 4.0
Max RIPE Region AS path length visible: 18
Number of RIPE addresses announced to Internet: 347894304
Equivalent to 20 /8s, 188 /16s and 114 /24s
Percentage of available RIPE address space announced: 79.8
RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614
(pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631
6656-6911, 8192-9215, 12288-13311, 15360-16383
20480-21503, 24576-25599, 28672-29695
30720-31743, 33792-35839, 38912-39935
40960-45055
RIPE Address Blocks 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8,
83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8,
90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 193/8,
194/8, 195/8, 212/8, 213/8, 217/8,
LACNIC Region Analysis Summary
------------------------------
Prefixes being announced by LACNIC Region ASes: 19100
Total LACNIC prefixes after maximum aggregation: 4771
LACNIC Deaggregation factor: 4.00
Prefixes being announced from the LACNIC address blocks: 17466
Unique aggregates announced from the LACNIC address blocks: 9543
LACNIC Region origin ASes present in the Internet Routing Table: 882
LACNIC Prefixes per ASN: 19.80
LACNIC Region origin ASes announcing only one prefix: 279
LACNIC Region transit ASes present in the Internet Routing Table: 152
Average LACNIC Region AS path length visible: 4.0
Max LACNIC Region AS path length visible: 18
Number of LACNIC addresses announced to Internet: 49790848
Equivalent to 2 /8s, 247 /16s and 191 /24s
Percentage of available LACNIC address space announced: 49.5
LACNIC AS Blocks 26592-26623, 27648-28671, plus ERX transfers
LACNIC Address Blocks 186/8, 187/8, 189/8, 190/8, 200/8, 201/8,
AfriNIC Region Analysis Summary
-------------------------------
Prefixes being announced by AfriNIC Region ASes: 3591
Total AfriNIC prefixes after maximum aggregation: 1135
AfriNIC Deaggregation factor: 3.16
Prefixes being announced from the AfriNIC address blocks: 4008
Unique aggregates announced from the AfriNIC address blocks: 1814
AfriNIC Region origin ASes present in the Internet Routing Table: 234
AfriNIC Prefixes per ASN: 17.13
AfriNIC Region origin ASes announcing only one prefix: 80
AfriNIC Region transit ASes present in the Internet Routing Table: 44
Average AfriNIC Region AS path length visible: 3.8
Max AfriNIC Region AS path length visible: 14
Number of AfriNIC addresses announced to Internet: 10090752
Equivalent to 0 /8s, 153 /16s and 249 /24s
Percentage of available AfriNIC address space announced: 30.1
AfriNIC AS Blocks 36864-37887 & ERX transfers
AfriNIC Address Blocks 41/8, 196/8,
APNIC Region per AS prefix count summary
----------------------------------------
ASN No of nets /20 equiv MaxAgg Description
4755 1612 386 85 Videsh Sanchar Nigam Ltd. Aut
9583 1151 140 16 Sify Limited
9498 1123 551 65 BHARTI BT INTERNET LTD.
17488 1033 66 86 Hathway IP Over Cable Interne
4134 855 12473 317 CHINANET-BACKBONE
4766 849 6005 340 Korea Telecom (KIX)
18101 673 126 52 Reliance Infocom Ltd Internet
9829 594 449 11 BSNL National Internet Backbo
4812 561 967 91 China Telecom (Shanghai)
1221 545 1951 420 Telstra Pty Ltd
Complete listing at http://thyme.apnic.net/current/data-ASnet-APNIC
ARIN Region per AS prefix count summary
---------------------------------------
ASN No of nets /20 equiv MaxAgg Description
7018 1413 5926 1000 AT&T WorldNet Services
2386 1390 657 850 AT&T Data Communications Serv
4323 1386 1028 367 Time Warner Telecom
11492 1216 146 23 Cable One
7011 1073 312 610 Citizens Utilities
18566 1046 296 10 Covad Communications
20115 1038 830 495 Charter Communications
1785 1008 479 107 AppliedTheory Corporation
6197 989 728 477 BellSouth Network Solutions,
174 968 6836 816 Cogent Communications
Complete listing at http://thyme.apnic.net/current/data-ASnet-ARIN
RIPE Region per AS prefix count summary
---------------------------------------
ASN No of nets /20 equiv MaxAgg Description
3292 395 1776 360 TDC Tele Danmark
8452 383 188 7 TEDATA
3301 341 1459 310 TeliaNet Sweden
3320 322 7045 267 Deutsche Telekom AG
8866 293 78 24 Bulgarian Telecommunication C
3215 277 2655 91 France Telecom Transpac
5462 275 666 26 Telewest Broadband
6746 263 127 241 Dynamic Network Technologies,
680 259 2046 258 DFN-IP service G-WiN
8708 254 421 245 Romania Data Systems S.A.
Complete listing at http://thyme.apnic.net/current/data-ASnet-RIPE
LACNIC Region per AS prefix count summary
-----------------------------------------
ASN No of nets /20 equiv MaxAgg Description
8151 1186 2449 220 UniNet S.A. de C.V.
11830 556 299 9 Instituto Costarricense de El
7303 452 220 60 Telecom Argentina Stet-France
16814 426 27 10 NSS, S.A.
11172 406 116 68 Servicios Alestra S.A de C.V
6471 395 85 39 ENTEL CHILE S.A.
10620 392 103 51 TVCABLE BOGOTA
14117 352 25 15 Telefonica del Sur S.A.
22047 322 270 14 VTR PUNTO NET S.A.
10481 310 152 10 Prima S.A.
Complete listing at http://thyme.apnic.net/current/data-ASnet-LACNIC
AfriNIC Region per AS prefix count summary
------------------------------------------
ASN No of nets /20 equiv MaxAgg Description
24863 451 60 27 LINKdotNET AS number
3741 287 869 224 The Internet Solution
2018 254 265 126 Tertiary Education Network
20858 215 34 3 EgyNet
6713 143 135 11 Itissalat Al-MAGHRIB
33783 130 9 16 EEPAD TISP TELECOM & INTERNET
5536 121 8 16 Internet Egypt Network
33776 99 6 7 Starcomms Nigeria Limited
24835 89 48 7 RAYA Telecom - Egypt
29571 80 13 7 Ci Telecom Autonomous system
Complete listing at http://thyme.apnic.net/current/data-ASnet-AFRINIC
Global Per AS prefix count summary
----------------------------------
ASN No of nets /20 equiv MaxAgg Description
6389 1768 2992 85 bellsouth.net, inc.
23577 1644 34 703 Korea Telecom (ATM-MPLS)
4755 1612 386 85 Videsh Sanchar Nigam Ltd. Aut
7018 1413 5926 1000 AT&T WorldNet Services
2386 1390 657 850 AT&T Data Communications Serv
4323 1386 1028 367 Time Warner Telecom
11492 1216 146 23 Cable One
8151 1186 2449 220 UniNet S.A. de C.V.
9583 1151 140 16 Sify Limited
9498 1123 551 65 BHARTI BT INTERNET LTD.
Complete listing at http://thyme.apnic.net/current/data-ASnet
Global Per AS Maximum Aggr summary
----------------------------------
ASN No of nets Net Savings Description
4755 1612 1527 Videsh Sanchar Nigam Ltd. Aut
11492 1216 1193 Cable One
9583 1151 1135 Sify Limited
9498 1123 1058 BHARTI BT INTERNET LTD.
18566 1046 1036 Covad Communications
4323 1386 1019 Time Warner Telecom
8151 1186 966 UniNet S.A. de C.V.
17676 1018 952 Softbank BB Corp.
17488 1033 947 Hathway IP Over Cable Interne
23577 1644 941 Korea Telecom (ATM-MPLS)
Complete listing at http://thyme.apnic.net/current/data-CIDRnet
List of Unregistered Origin ASNs (Global)
-----------------------------------------
Bad AS Designation Network Transit AS Description
14780 UNALLOCATED 4.79.181.0/24 10310 Yahoo!
12180 UNALLOCATED 4.79.248.0/24 1239 Sprint
26478 UNALLOCATED 8.7.228.0/24 6461 AboveNet Communicati
12180 UNALLOCATED 8.10.16.0/24 3549 Global Crossing
12180 UNALLOCATED 8.10.58.0/23 3549 Global Crossing
14779 UNALLOCATED 8.12.144.0/24 10310 Yahoo!
16927 UNALLOCATED 12.0.252.0/23 7018 AT&T WorldNet Servic
22492 UNALLOCATED 12.2.46.0/24 1239 Sprint
14984 UNALLOCATED 12.2.192.0/24 7132 SBC Internet Service
15132 UNALLOCATED 12.9.150.0/24 701 UUNET Technologies,
Complete listing at http://thyme.apnic.net/current/data-badAS
Advertised Unallocated Addresses
--------------------------------
Network Origin AS Description
24.51.159.0/24 7843 Adelphia Corp.
24.54.224.0/19 20001 HoldCo LLC - Road Runner
24.75.160.0/19 19548 Adelphia Business Solutions
24.75.192.0/18 19548 Adelphia Business Solutions
24.142.40.0/21 7018 AT&T WorldNet Services
24.142.160.0/19 7018 AT&T WorldNet Services
24.246.0.0/17 7018 AT&T WorldNet Services
24.246.128.0/18 7018 AT&T WorldNet Services
62.61.220.0/24 24974 Tachyon Europe BV - Wireless
63.140.213.0/24 22555 Universal Talkware Corporatio
Complete listing at http://thyme.apnic.net/current/data-add-IANA
Number of prefixes announced per prefix length (Global)
-------------------------------------------------------
/1:0 /2:0 /3:0 /4:0 /5:0 /6:0
/7:0 /8:19 /9:9 /10:16 /11:40 /12:137
/13:277 /14:499 /15:996 /16:9788 /17:4286 /18:7287
/19:15266 /20:17486 /21:16712 /22:21210 /23:22361 /24:131209
/25:769 /26:946 /27:488 /28:107 /29:9 /30:1
/31:0 /32:8
Advertised prefixes smaller than registry allocations
-----------------------------------------------------
ASN No of nets Total ann. Description
11492 1202 1216 Cable One
2386 1091 1390 AT&T Data Communications Serv
18566 1027 1046 Covad Communications
9583 987 1151 Sify Limited
4755 959 1612 Videsh Sanchar Nigam Ltd. Aut
7011 955 1073 Citizens Utilities
6478 933 934 AT&T Worldnet Services
17488 848 1033 Hathway IP Over Cable Interne
23577 813 1644 Korea Telecom (ATM-MPLS)
9498 796 1123 BHARTI BT INTERNET LTD.
Complete listing at http://thyme.apnic.net/current/data/sXXas-nos
Number of /24s announced per /8 block (Global)
----------------------------------------------
4:9 8:102 11:1 12:1998 13:1 15:21
16:3 17:6 18:12 20:35 24:1046 25:1
32:59 33:4 38:406 40:95 41:621 44:2
47:8 52:3 55:3 56:3 57:22 58:514
59:427 60:422 61:983 62:1106 63:1963 64:3352
65:2360 66:3619 67:1064 68:661 69:2109 70:510
71:141 72:1521 73:6 74:886 75:222 76:275
77:626 78:528 79:120 80:884 81:848 82:611
83:364 84:549 85:943 86:388 87:632 88:309
89:1209 90:11 91:1119 92:235 93:141 96:18
97:16 98:100 99:3 116:568 117:278 118:77
119:350 121:470 122:722 123:298 124:803 125:1126
128:321 129:201 130:124 131:402 132:67 133:9
134:188 135:32 136:221 137:119 138:154 139:65
140:483 141:109 142:376 143:275 144:346 145:54
146:334 147:132 148:494 149:180 150:121 151:161
152:142 153:127 154:11 155:266 156:208 157:252
158:167 159:222 160:265 161:110 162:206 163:197
164:568 165:431 166:296 167:428 168:593 169:128
170:425 171:28 172:3 189:145 190:1530 192:5768
193:4100 194:3264 195:2380 196:1058 198:3762 199:3230
200:5498 201:1311 202:7535 203:7790 204:3998 205:2086
206:2414 207:2719 208:3206 209:3473 210:2524 211:1062
212:1288 213:1605 214:445 215:48 216:4228 217:1229
218:349 219:403 220:1056 221:403 222:313
End of report
14 years, 3 months
- 1
- 0