Monthly List Reminder
by noreply@apnic.net
Dear Subscriber,
This is the monthly reminder of subscription information for the
apops list, hosted at APNIC.
For subscription information including how to un-subscribe go to
http://mailman.apnic.net/mailman/listinfo/apops
Thank you for participating in this discussion.
Kind Regards,
List administrator
10 years, 3 months
- 1
- 0
BGP Update Report
by cidr-report@potaroo.net
BGP Update Report
Interval: 22-Mar-12 -to- 29-Mar-12 (7 days)
Observation Point: BGP Peering with AS131072
TOP 20 Unstable Origin AS
Rank ASN Upds % Upds/Pfx AS-Name
1 - AS786 98735 3.9% 484.0 -- JANET The JNT Association
2 - AS8402 78832 3.1% 39.1 -- CORBINA-AS OJSC "Vimpelcom"
3 - AS9829 42019 1.6% 34.8 -- BSNL-NIB National Internet Backbone
4 - AS12479 27956 1.1% 42.6 -- UNI2-AS France Telecom Espana SA
5 - AS24560 25962 1.0% 25.3 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
6 - AS7552 24172 0.9% 20.3 -- VIETEL-AS-AP Vietel Corporation
7 - AS32528 22938 0.9% 2293.8 -- ABBOTT Abbot Labs
8 - AS7029 21407 0.8% 6.0 -- WINDSTREAM - Windstream Communications Inc
9 - AS27947 20116 0.8% 28.5 -- Telconet S.A
10 - AS26615 18678 0.7% 20.7 -- Tim Celular S.A.
11 - AS28683 17766 0.7% 323.0 -- BENINTELECOM
12 - AS5800 16470 0.7% 52.0 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center
13 - AS23216 16342 0.6% 92.3 -- MEGADATOS S.A.
14 - AS7843 15780 0.6% 52.1 -- TWCABLE-BACKBONE - Road Runner HoldCo LLC
15 - AS17974 14834 0.6% 8.3 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia
16 - AS45899 11964 0.5% 37.2 -- VNPT-AS-VN VNPT Corp
17 - AS28573 11799 0.5% 5.8 -- NET Servicos de Comunicao S.A.
18 - AS8452 11344 0.5% 8.7 -- TE-AS TE-AS
19 - AS12008 10792 0.4% 131.6 -- ULTRADNS - Centergate Research, LLC.
20 - AS8151 10663 0.4% 7.1 -- Uninet S.A. de C.V.
TOP 20 Unstable Origin AS (Updates per announced prefix)
Rank ASN Upds % Upds/Pfx AS-Name
1 - AS13277 8990 0.3% 4495.0 -- HP-MS HP-MS Autonomous System
2 - AS57767 2353 0.1% 2353.0 -- RTTC-AS Federal State-owned Enterprise Russian Television and Radio Broadcasting Network
3 - AS32528 22938 0.9% 2293.8 -- ABBOTT Abbot Labs
4 - AS36926 7691 0.3% 1538.2 -- CKL1-ASN
5 - AS26678 1091 0.0% 1091.0 -- ASN-QMFI - QUINCY MUTUAL FIRE INSURANCE, CO.
6 - AS23266 1050 0.0% 1050.0 -- COMCAST-23266 - Comcast Cable Communications
7 - AS55665 926 0.0% 926.0 -- STMI-AS-ID PT Sampoerna Telemedia Indonesia
8 - AS6066 1371 0.1% 685.5 -- VERIZON-BUSINESS-MAE-AS6066 - Verizon Business Network Services Inc.
9 - AS16045 677 0.0% 677.0 -- SPEKTAR-AD Spektar AD
10 - AS16935 2000 0.1% 666.7 -- KSC-NETWORKS - Kingland Systems Corp.
11 - AS56915 617 0.0% 617.0 -- ASELITTELECOM Elit Telecom Ltd.
12 - AS15770 593 0.0% 593.0 -- DERWENTSIDE Derwentside District Council
13 - AS26779 1760 0.1% 586.7 -- PANDO-NETWORKS - Pando Networks
14 - AS48018 582 0.0% 582.0 -- MTB-COMPUTER-SERVICES-LTD MTB Computer Services Ltd
15 - AS48632 580 0.0% 580.0 -- BTS-HOLDINGS-PLC BTS Holdings PLC
16 - AS39779 576 0.0% 576.0 -- MESHDIGITAL Mesh Digital Ltd
17 - AS12295 570 0.0% 570.0 -- LONDONLINK Professional Telecommunications Ltd.
18 - AS28861 569 0.0% 569.0 -- CARR-FUTURES-LONDON-AS Carr Futures Inc London
19 - AS31392 558 0.0% 558.0 -- PHOENIX-VENTURE-HOLDINGS-AS Phoenix Venture Holdings Ltd
20 - AS53045 1090 0.0% 545.0 --
TOP 20 Unstable Prefixes
Rank Prefix Upds % Origin AS -- AS Name
1 - 130.36.34.0/24 11460 0.4% AS32528 -- ABBOTT Abbot Labs
2 - 130.36.35.0/24 11460 0.4% AS32528 -- ABBOTT Abbot Labs
3 - 204.234.0.0/17 10768 0.4% AS7029 -- WINDSTREAM - Windstream Communications Inc
4 - 62.36.252.0/22 8621 0.3% AS12479 -- UNI2-AS France Telecom Espana SA
5 - 62.36.249.0/24 6491 0.2% AS12479 -- UNI2-AS France Telecom Espana SA
6 - 122.161.0.0/16 6329 0.2% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
7 - 182.64.0.0/16 6240 0.2% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
8 - 62.36.241.0/24 5903 0.2% AS12479 -- UNI2-AS France Telecom Espana SA
9 - 62.36.210.0/24 5675 0.2% AS12479 -- UNI2-AS France Telecom Espana SA
10 - 194.63.9.0/24 4915 0.2% AS1273 -- CW Cable and Wireless Worldwide plc
11 - 194.209.13.0/24 4495 0.2% AS13277 -- HP-MS HP-MS Autonomous System
12 - 194.209.211.0/24 4495 0.2% AS13277 -- HP-MS HP-MS Autonomous System
13 - 217.15.120.0/22 4336 0.2% AS56696 -- ASLIQUID-MPLS Liquid Telecommunications Ltd
14 - 205.107.121.0/24 4335 0.2% AS5976 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center
15 - 41.223.57.0/24 3839 0.1% AS36926 -- CKL1-ASN
16 - 41.223.56.0/24 3839 0.1% AS36926 -- CKL1-ASN
17 - 202.153.174.0/24 3470 0.1% AS17408 -- ABOVE-AS-AP AboveNet Communications Taiwan
18 - 67.214.235.0/24 3438 0.1% AS29933 -- OFF-CAMPUS-TELECOMMUNICATIONS - Off Campus Telecommunications
19 - 205.106.248.0/24 3277 0.1% AS5976 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center
20 - 96.45.89.0/24 2905 0.1% AS16552 -- TIGGEE - Tiggee LLC
Details at http://bgpupdates.potaroo.net
------------------------------------
Copies of this report are mailed to:
nanog(a)nanog.org
eof-list(a)ripe.net
apops(a)apops.net
routing-wg(a)ripe.net
afnog(a)afnog.org
10 years, 3 months
- 1
- 0
The Cidr Report
by cidr-report@potaroo.net
This report has been generated at Fri Mar 30 21:12:26 2012 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org for a current version of this report.
Recent Table History
Date Prefixes CIDR Agg
23-03-12 405211 237312
24-03-12 406791 237506
25-03-12 406910 237612
26-03-12 407108 237709
27-03-12 407254 237193
28-03-12 406770 236263
29-03-12 406051 236496
30-03-12 406585 236469
AS Summary
40664 Number of ASes in routing system
17035 Number of ASes announcing only one prefix
3419 Largest number of prefixes announced by an AS
AS7029 : WINDSTREAM - Windstream Communications Inc
111385888 Largest address span announced by an AS (/32s)
AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street
Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').
--- 30Mar12 ---
ASnum NetsNow NetsAggr NetGain % Gain Description
Table 406832 236438 170394 41.9% All ASes
AS6389 3379 199 3180 94.1% BELLSOUTH-NET-BLK -
BellSouth.net Inc.
AS7029 3419 1820 1599 46.8% WINDSTREAM - Windstream
Communications Inc
AS4766 2483 1015 1468 59.1% KIXS-AS-KR Korea Telecom
AS22773 1552 120 1432 92.3% ASN-CXA-ALL-CCI-22773-RDC -
Cox Communications Inc.
AS2118 1427 14 1413 99.0% RELCOM-AS OOO "NPO Relcom"
AS18566 2092 705 1387 66.3% COVAD - Covad Communications
Co.
AS28573 1745 492 1253 71.8% NET Servicos de Comunicao S.A.
AS4323 1603 384 1219 76.0% TWTC - tw telecom holdings,
inc.
AS4755 1572 394 1178 74.9% TATACOMM-AS TATA
Communications formerly VSNL
is Leading ISP
AS1785 1892 805 1087 57.5% AS-PAETEC-NET - PaeTec
Communications, Inc.
AS10620 1817 809 1008 55.5% Telmex Colombia S.A.
AS7552 1173 221 952 81.2% VIETEL-AS-AP Vietel
Corporation
AS8402 1738 805 933 53.7% CORBINA-AS OJSC "Vimpelcom"
AS7303 1353 439 914 67.6% Telecom Argentina S.A.
AS26615 903 28 875 96.9% Tim Celular S.A.
AS8151 1493 671 822 55.1% Uninet S.A. de C.V.
AS18101 932 157 775 83.2% RELIANCE-COMMUNICATIONS-IN
Reliance Communications
Ltd.DAKC MUMBAI
AS4808 1101 347 754 68.5% CHINA169-BJ CNCGROUP IP
network China169 Beijing
Province Network
AS9394 888 207 681 76.7% CRNET CHINA RAILWAY
Internet(CRNET)
AS7545 1659 983 676 40.7% TPG-INTERNET-AP TPG Internet
Pty Ltd
AS17974 1787 1115 672 37.6% TELKOMNET-AS2-AP PT
Telekomunikasi Indonesia
AS30036 1415 774 641 45.3% MEDIACOM-ENTERPRISE-BUSINESS -
Mediacom Communications Corp
AS3356 1099 461 638 58.1% LEVEL3 Level 3 Communications
AS17676 686 74 612 89.2% GIGAINFRA Softbank BB Corp.
AS19262 996 401 595 59.7% VZGNI-TRANSIT - Verizon Online
LLC
AS24560 1021 434 587 57.5% AIRTELBROADBAND-AS-AP Bharti
Airtel Ltd., Telemedia
Services
AS3549 1004 435 569 56.7% GBLX Global Crossing Ltd.
AS22561 991 422 569 57.4% DIGITAL-TELEPORT - Digital
Teleport Inc.
AS4804 654 95 559 85.5% MPX-AS Microplex PTY LTD
AS22047 584 31 553 94.7% VTR BANDA ANCHA S.A.
Total 44458 14857 29601 66.6% Top 30 total
Possible Bogus Routes
10.86.64.32/30 AS65530 -Private Use AS-
10.86.64.36/30 AS65530 -Private Use AS-
10.86.65.32/30 AS65530 -Private Use AS-
10.86.65.36/30 AS65530 -Private Use AS-
10.255.255.0/30 AS65530 -Private Use AS-
10.255.255.4/30 AS65530 -Private Use AS-
10.255.255.8/30 AS65530 -Private Use AS-
14.192.0.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg
14.192.4.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg
14.192.8.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg
14.192.12.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg
14.192.16.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg
14.192.20.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg
14.192.24.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg
14.192.28.0/22 AS45464 NEXTWEB-AS-AP Room 201, TGU Bldg
27.112.114.0/24 AS23884 PROENNET-AS Proimage Engineering and Communication Co.,Ltd.
37.208.120.0/21 AS50077 MGN-STK-AS "Set-Telekom" Ltd.
37.208.120.0/24 AS50077 MGN-STK-AS "Set-Telekom" Ltd.
37.208.121.0/24 AS50077 MGN-STK-AS "Set-Telekom" Ltd.
37.208.122.0/24 AS50077 MGN-STK-AS "Set-Telekom" Ltd.
37.208.123.0/24 AS50077 MGN-STK-AS "Set-Telekom" Ltd.
37.208.124.0/24 AS50077 MGN-STK-AS "Set-Telekom" Ltd.
37.208.125.0/24 AS50077 MGN-STK-AS "Set-Telekom" Ltd.
37.208.126.0/24 AS50077 MGN-STK-AS "Set-Telekom" Ltd.
37.208.127.0/24 AS50077 MGN-STK-AS "Set-Telekom" Ltd.
37.212.0.0/14 AS6697 BELPAK-AS Republican Association BELTELECOM
37.216.0.0/15 AS34744 GVM S.C. GVM SISTEM 2003 S.R.L.
41.222.79.0/24 AS36938 AMSCOTELECOMS Amsco Telecommunications Nigeria Limited
62.61.220.0/24 AS24974 TACHYON-EU Tachyon Europe BV
62.61.221.0/24 AS24974 TACHYON-EU Tachyon Europe BV
66.171.32.0/20 AS705 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
66.180.239.0/24 AS35888 VIGNETTE - VIGNETTE CORPORATION
66.207.32.0/20 AS23011
66.245.176.0/20 AS19318 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC
66.251.128.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks
66.251.133.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks
66.251.134.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks
66.251.136.0/21 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks
66.251.140.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks
66.251.141.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks
66.251.142.0/24 AS33227 BLUEBRIDGE-NETWORKS - Blue Bridge Networks
66.251.143.0/24 AS3356 LEVEL3 Level 3 Communications
69.46.224.0/20 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers
69.46.233.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers
69.46.236.0/24 AS32592 HUNT-BROTHERS-OF-LOUISIANA-LLC - Hunt Brothers
71.19.134.0/23 AS3313 INET-AS BT Italia S.p.A.
72.44.16.0/20 AS15054 HAMELTRONICS - Hameltronics, LLC
74.91.48.0/24 AS14208
74.91.49.0/24 AS14208
74.91.50.0/24 AS14208
74.91.51.0/24 AS14208
74.91.52.0/24 AS14208
74.91.53.0/24 AS14208
74.91.54.0/24 AS14208
74.91.55.0/24 AS14208
74.91.56.0/24 AS14208
74.91.57.0/24 AS14208
74.91.58.0/24 AS14208
74.91.59.0/24 AS14208
74.91.60.0/24 AS14208
74.91.61.0/24 AS14208
74.91.62.0/24 AS14208
74.91.63.0/24 AS14208
98.159.96.0/20 AS46975
110.34.44.0/22 AS12653 COMTONET KB Impuls Hellas S.A.
116.206.72.0/24 AS6461 MFNX MFN - Metromedia Fiber Network
116.206.85.0/24 AS6461 MFNX MFN - Metromedia Fiber Network
116.206.103.0/24 AS6461 MFNX MFN - Metromedia Fiber Network
117.120.56.0/21 AS4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP
121.46.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street
142.54.0.0/19 AS23498 CDSI - Cogeco Data Services Inc.
172.45.1.0/24 AS3356 LEVEL3 Level 3 Communications
172.45.2.0/24 AS29571 CITelecom-AS
172.45.3.0/24 AS29571 CITelecom-AS
172.102.0.0/22 AS4812 CHINANET-SH-AP China Telecom (Group)
172.223.60.0/22 AS6910 DIALTELECOMRO Dial Telecom S.R.L.
200.1.112.0/24 AS29754 GO2TEL GO2TEL.COM INC.
200.6.93.0/24 AS6400 Compañía Dominicana de Teléfonos, C. por A. - CODETEL
200.6.94.0/24 AS6400 Compañía Dominicana de Teléfonos, C. por A. - CODETEL
200.6.95.0/24 AS6400 Compañía Dominicana de Teléfonos, C. por A. - CODETEL
200.23.84.0/24 AS8151 Uninet S.A. de C.V.
200.24.73.0/24 AS26061 Equant Colombia
200.33.40.0/24 AS11172 Alestra, S. de R.L. de C.V.
200.34.0.0/20 AS6342 Instituto Tecnológico y de Estudios Superiores de Monterrey
200.53.0.0/19 AS13878 Diveo do Brasil Telecomunicacoes Ltda
202.1.224.0/24 AS10097 FLOWCOM Flow Communications 2/541 Kent St Sydney NSW 2000
202.8.106.0/24 AS9530 SHINSEGAE-AS SHINSEGAE I&C Co., Ltd.
202.58.113.0/24 AS19161
202.61.75.0/24 AS9927 PHILCOMNET-PH A Multihomed ISP Company
202.83.120.0/21 AS37972
202.83.124.0/24 AS37972
202.83.125.0/24 AS37972
202.83.126.0/24 AS37972
202.86.32.0/20 AS18255 BRISBANE-AP Brisbane City Council
202.94.1.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
202.122.134.0/24 AS38615
202.133.70.0/24 AS38616 WORLDCALL-AS-KHI Worldcall Telecom Limited
202.140.128.0/19 AS9583 SIFY-AS-IN Sify Limited
202.160.152.0/22 AS10113 EFTEL-AS-AP Eftel Limited.
202.174.125.0/24 AS9498 BBIL-AP BHARTI Airtel Ltd.
202.176.1.0/24 AS9942 COMINDICO-AP SOUL Converged Communications Australia
202.179.134.0/24 AS23966 LDN-AS-PK LINKdotNET Telecom Limited
203.23.1.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications
203.24.38.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications
203.30.127.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications
203.32.86.0/23 AS18111 NETSPEED-AS-AP Netspeed Internet Communications
203.32.86.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications
203.32.87.0/24 AS18111 NETSPEED-AS-AP Netspeed Internet Communications
203.32.188.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd
203.142.219.0/24 AS45149
205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
205.175.214.0/24 AS5583 ORANGE-BUSINESS-SERVICES-BENELUX France Telecom S.A.
206.123.129.0/24 AS10790 INREACH-AS - InReach Internet
206.197.184.0/24 AS23304 DATOTEL-STL-AS - Datotel LLC, a NetLabs LLC Company
207.174.131.0/24 AS26116 INDRA - Indra's Net Inc
207.174.132.0/23 AS26116 INDRA - Indra's Net Inc
207.174.152.0/23 AS26116 INDRA - Indra's Net Inc
207.174.154.0/24 AS26116 INDRA - Indra's Net Inc
207.174.155.0/24 AS26116 INDRA - Indra's Net Inc
207.174.200.0/24 AS22658 EARTHNET - Earthnet, Inc.
207.174.248.0/21 AS6653 PRIVATEI - privateI, LLC
207.231.96.0/19 AS11194 NUNETPA - NuNet Inc.
208.83.53.0/24 AS40569 YGOMI-AS - Ygomi LLC
208.91.56.0/21 AS22241 IC2NET - IC2NET
208.91.56.0/24 AS22241 IC2NET - IC2NET
208.91.57.0/24 AS22241 IC2NET - IC2NET
208.91.58.0/24 AS22241 IC2NET - IC2NET
208.91.59.0/24 AS22241 IC2NET - IC2NET
208.91.60.0/24 AS22241 IC2NET - IC2NET
208.91.61.0/24 AS22241 IC2NET - IC2NET
208.91.62.0/24 AS22241 IC2NET - IC2NET
208.91.63.0/24 AS22241 IC2NET - IC2NET
209.148.64.0/19 AS13773 TELNETCOMM - Telnet Communications
209.177.64.0/20 AS6461 MFNX MFN - Metromedia Fiber Network
209.213.0.0/20 AS33005 ELTOPIA - Eltopia.com, LLC
210.56.150.0/23 AS38138 INTECH-TRANSIT-BD InTech Online Limited, INTERNET SERVICE LIMITED
216.12.160.0/20 AS26627 AS-PILOSOFT - Pilosoft, Inc.
216.21.160.0/20 AS27876 American Data Networks
216.194.160.0/20 AS27876 American Data Networks
Please see http://www.cidr-report.org for the full report
------------------------------------
Copies of this report are mailed to:
nanog(a)nanog.org
eof-list(a)ripe.net
apops(a)apops.net
routing-wg(a)ripe.net
afnog(a)afnog.org
10 years, 3 months
- 1
- 0
Weekly Routing Table Report
by Routing Analysis Role Account
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.
The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG,
TRNOG, CaribNOG and the RIPE Routing Working Group.
Daily listings are sent to bgp-stats(a)lists.apnic.net
For historical data, please see http://thyme.rand.apnic.net.
If you have any comments please contact Philip Smith <pfsinoz(a)gmail.com>.
Routing Table Report 04:00 +10GMT Sat 31 Mar, 2012
Report Website: http://thyme.rand.apnic.net
Detailed Analysis: http://thyme.rand.apnic.net/current/
Analysis Summary
----------------
BGP routing table entries examined: 403929
Prefixes after maximum aggregation: 171635
Deaggregation factor: 2.35
Unique aggregates announced to Internet: 195814
Total ASes present in the Internet Routing Table: 40542
Prefixes per ASN: 9.96
Origin-only ASes present in the Internet Routing Table: 32969
Origin ASes announcing only one prefix: 15468
Transit ASes present in the Internet Routing Table: 5416
Transit-only ASes present in the Internet Routing Table: 140
Average AS path length visible in the Internet Routing Table: 4.4
Max AS path length visible: 32
Max AS path prepend of ASN (48687) 24
Prefixes from unregistered ASNs in the Routing Table: 555
Unregistered ASNs in the Routing Table: 265
Number of 32-bit ASNs allocated by the RIRs: 2342
Number of 32-bit ASNs visible in the Routing Table: 2157
Prefixes from 32-bit ASNs in the Routing Table: 5295
Special use prefixes present in the Routing Table: 2
Prefixes being announced from unallocated address space: 1252
Number of addresses announced to Internet: 2531398224
Equivalent to 150 /8s, 226 /16s and 18 /24s
Percentage of available address space announced: 68.3
Percentage of allocated address space announced: 68.3
Percentage of available address space allocated: 100.0
Percentage of address space in use by end-sites: 92.1
Total number of prefixes smaller than registry allocations: 171545
APNIC Region Analysis Summary
-----------------------------
Prefixes being announced by APNIC Region ASes: 98994
Total APNIC prefixes after maximum aggregation: 32099
APNIC Deaggregation factor: 3.08
Prefixes being announced from the APNIC address blocks: 95394
Unique aggregates announced from the APNIC address blocks: 39244
APNIC Region origin ASes present in the Internet Routing Table: 4680
APNIC Prefixes per ASN: 20.38
APNIC Region origin ASes announcing only one prefix: 1238
APNIC Region transit ASes present in the Internet Routing Table: 730
Average APNIC Region AS path length visible: 4.6
Max APNIC Region AS path length visible: 19
Number of APNIC region 32-bit ASNs visible in the Routing Table: 171
Number of APNIC addresses announced to Internet: 642314080
Equivalent to 38 /8s, 72 /16s and 239 /24s
Percentage of available APNIC address space announced: 81.5
APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319,
58368-59391, 131072-132095, 132096-133119
APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8,
49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8,
106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8,
116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8,
123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8,
182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8,
219/8, 220/8, 221/8, 222/8, 223/8,
ARIN Region Analysis Summary
----------------------------
Prefixes being announced by ARIN Region ASes: 149258
Total ARIN prefixes after maximum aggregation: 75828
ARIN Deaggregation factor: 1.97
Prefixes being announced from the ARIN address blocks: 120636
Unique aggregates announced from the ARIN address blocks: 49969
ARIN Region origin ASes present in the Internet Routing Table: 14935
ARIN Prefixes per ASN: 8.08
ARIN Region origin ASes announcing only one prefix: 5686
ARIN Region transit ASes present in the Internet Routing Table: 1569
Average ARIN Region AS path length visible: 4.0
Max ARIN Region AS path length visible: 22
Number of ARIN region 32-bit ASNs visible in the Routing Table: 16
Number of ARIN addresses announced to Internet: 805141184
Equivalent to 47 /8s, 253 /16s and 122 /24s
Percentage of available ARIN address space announced: 64.0
ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106
(pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153
3354-4607, 4865-5119, 5632-6655, 6912-7466
7723-8191, 10240-12287, 13312-15359, 16384-17407
18432-20479, 21504-23551, 25600-26591,
26624-27647, 29696-30719, 31744-33791
35840-36863, 39936-40959, 46080-47103
53248-55295, 393216-394239
ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8,
12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8,
20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8,
29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8,
40/8, 44/8, 45/8, 47/8, 48/8, 50/8, 52/8,
53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8,
65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8,
72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8,
98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 173/8,
174/8, 184/8, 199/8, 204/8, 205/8, 206/8, 207/8,
208/8, 209/8, 214/8, 215/8, 216/8,
RIPE Region Analysis Summary
----------------------------
Prefixes being announced by RIPE Region ASes: 100814
Total RIPE prefixes after maximum aggregation: 53186
RIPE Deaggregation factor: 1.90
Prefixes being announced from the RIPE address blocks: 92127
Unique aggregates announced from the RIPE address blocks: 57226
RIPE Region origin ASes present in the Internet Routing Table: 16345
RIPE Prefixes per ASN: 5.64
RIPE Region origin ASes announcing only one prefix: 7946
RIPE Region transit ASes present in the Internet Routing Table: 2622
Average RIPE Region AS path length visible: 4.7
Max RIPE Region AS path length visible: 32
Number of RIPE region 32-bit ASNs visible in the Routing Table: 1462
Number of RIPE addresses announced to Internet: 502238984
Equivalent to 29 /8s, 239 /16s and 143 /24s
Percentage of available RIPE address space announced: 80.9
RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614
(pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631
6656-6911, 8192-9215, 12288-13311, 15360-16383
20480-21503, 24576-25599, 28672-29695
30720-31743, 33792-35839, 38912-39935
40960-45055, 47104-52223, 56320-58367
196608-198655
RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8,
62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8,
83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8,
90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8,
176/8, 178/8, 185/8, 193/8, 194/8, 195/8, 212/8,
213/8, 217/8,
LACNIC Region Analysis Summary
------------------------------
Prefixes being announced by LACNIC Region ASes: 40250
Total LACNIC prefixes after maximum aggregation: 8151
LACNIC Deaggregation factor: 4.94
Prefixes being announced from the LACNIC address blocks: 39809
Unique aggregates announced from the LACNIC address blocks: 19696
LACNIC Region origin ASes present in the Internet Routing Table: 1574
LACNIC Prefixes per ASN: 25.29
LACNIC Region origin ASes announcing only one prefix: 434
LACNIC Region transit ASes present in the Internet Routing Table: 295
Average LACNIC Region AS path length visible: 4.4
Max LACNIC Region AS path length visible: 21
Number of LACNIC region 32-bit ASNs visible in the Routing Table: 503
Number of LACNIC addresses announced to Internet: 98765960
Equivalent to 5 /8s, 227 /16s and 12 /24s
Percentage of available LACNIC address space announced: 65.4
LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247,
262144-263167 plus ERX transfers
LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8,
200/8, 201/8,
AfriNIC Region Analysis Summary
-------------------------------
Prefixes being announced by AfriNIC Region ASes: 8916
Total AfriNIC prefixes after maximum aggregation: 2121
AfriNIC Deaggregation factor: 4.20
Prefixes being announced from the AfriNIC address blocks: 6971
Unique aggregates announced from the AfriNIC address blocks: 2163
AfriNIC Region origin ASes present in the Internet Routing Table: 526
AfriNIC Prefixes per ASN: 13.25
AfriNIC Region origin ASes announcing only one prefix: 164
AfriNIC Region transit ASes present in the Internet Routing Table: 115
Average AfriNIC Region AS path length visible: 4.5
Max AfriNIC Region AS path length visible: 25
Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 5
Number of AfriNIC addresses announced to Internet: 31533568
Equivalent to 1 /8s, 225 /16s and 42 /24s
Percentage of available AfriNIC address space announced: 47.0
AfriNIC AS Blocks 36864-37887, 327680-328703 & ERX transfers
AfriNIC Address Blocks 41/8, 102/8, 105/8, 197/8,
APNIC Region per AS prefix count summary
----------------------------------------
ASN No of nets /20 equiv MaxAgg Description
4766 2479 11109 992 Korea Telecom (KIX)
17974 1787 503 63 PT TELEKOMUNIKASI INDONESIA
7545 1659 301 89 TPG Internet Pty Ltd
4755 1573 386 158 TATA Communications formerly
9583 1238 95 540 Sify Limited
9829 1209 1025 29 BSNL National Internet Backbo
7552 1173 1062 11 Vietel Corporation
4808 1102 2050 316 CNCGROUP IP network: China169
24560 1021 385 167 Bharti Airtel Ltd., Telemedia
18101 949 131 160 Reliance Infocom Ltd Internet
Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-APNIC
ARIN Region per AS prefix count summary
---------------------------------------
ASN No of nets /20 equiv MaxAgg Description
6389 3379 3807 196 bellsouth.net, inc.
7029 3379 990 155 Windstream Communications Inc
18566 2092 383 179 Covad Communications
1785 1889 680 129 PaeTec Communications, Inc.
20115 1633 1559 624 Charter Communications
4323 1602 1060 382 Time Warner Telecom
22773 1552 2910 111 Cox Communications, Inc.
30036 1415 256 745 Mediacom Communications Corp
7018 1282 9791 831 AT&T WorldNet Services
11492 1184 216 364 Cable One
Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-ARIN
RIPE Region per AS prefix count summary
---------------------------------------
ASN No of nets /20 equiv MaxAgg Description
8402 1792 544 16 Corbina telecom
2118 1427 97 13 EUnet/RELCOM Autonomous Syste
31148 677 37 9 FreeNet ISP
34984 673 188 174 BILISIM TELEKOM
12479 656 658 57 Uni2 Autonomous System
20940 646 206 498 Akamai Technologies European
6830 641 1943 412 UPC Distribution Services
8551 571 360 81 Bezeq International
3320 532 8442 398 Deutsche Telekom AG
2578 500 33 7 Demos, Moscow, Russia
Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-RIPE
LACNIC Region per AS prefix count summary
-----------------------------------------
ASN No of nets /20 equiv MaxAgg Description
10620 1817 330 131 TVCABLE BOGOTA
28573 1745 1105 60 NET Servicos de Comunicao S.A
8151 1491 3018 350 UniNet S.A. de C.V.
7303 1352 827 188 Telecom Argentina Stet-France
6503 1348 418 65 AVANTEL, S.A.
26615 903 700 28 Tim Brasil S.A.
27947 688 74 100 Telconet S.A
11172 636 91 73 Servicios Alestra S.A de C.V
22047 584 326 15 VTR PUNTO NET S.A.
3816 566 242 105 Empresa Nacional de Telecomun
Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-LACNIC
AfriNIC Region per AS prefix count summary
------------------------------------------
ASN No of nets /20 equiv MaxAgg Description
8452 1294 958 13 TEDATA
24863 848 274 35 LINKdotNET AS number
6713 491 649 18 Itissalat Al-MAGHRIB
3741 272 924 229 The Internet Solution
33776 208 12 21 Starcomms Nigeria Limited
12258 197 28 62 Vodacom Internet Company
24835 178 80 8 RAYA Telecom - Egypt
15706 168 32 6 Sudatel Internet Exchange Aut
16637 164 664 82 MTN Network Solutions
29571 159 15 16 Ci Telecom Autonomous system
Complete listing at http://thyme.rand.apnic.net/current/data-ASnet-AFRINIC
Global Per AS prefix count summary
----------------------------------
ASN No of nets /20 equiv MaxAgg Description
6389 3379 3807 196 bellsouth.net, inc.
7029 3379 990 155 Windstream Communications Inc
4766 2479 11109 992 Korea Telecom (KIX)
18566 2092 383 179 Covad Communications
1785 1889 680 129 PaeTec Communications, Inc.
10620 1817 330 131 TVCABLE BOGOTA
8402 1792 544 16 Corbina telecom
17974 1787 503 63 PT TELEKOMUNIKASI INDONESIA
28573 1745 1105 60 NET Servicos de Comunicao S.A
7545 1659 301 89 TPG Internet Pty Ltd
Complete listing at http://thyme.rand.apnic.net/current/data-ASnet
Global Per AS Maximum Aggr summary
----------------------------------
ASN No of nets Net Savings Description
7029 3379 3224 Windstream Communications Inc
18566 2092 1913 Covad Communications
8402 1792 1776 Corbina telecom
1785 1889 1760 PaeTec Communications, Inc.
17974 1787 1724 PT TELEKOMUNIKASI INDONESIA
10620 1817 1686 TVCABLE BOGOTA
28573 1745 1685 NET Servicos de Comunicao S.A
7545 1659 1570 TPG Internet Pty Ltd
4766 2479 1487 Korea Telecom (KIX)
22773 1552 1441 Cox Communications, Inc.
Complete listing at http://thyme.rand.apnic.net/current/data-CIDRnet
List of Unregistered Origin ASNs (Global)
-----------------------------------------
Bad AS Designation Network Transit AS Description
54439 UNALLOCATED 8.25.174.0/24 17378 DBS International
54470 UNALLOCATED 8.30.171.0/24 3356 Level 3 Communicatio
15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic
32567 UNALLOCATED 12.14.170.0/24 4323 Time Warner Telecom
32567 UNALLOCATED 12.25.107.0/24 4323 Time Warner Telecom
25639 UNALLOCATED 12.41.169.0/24 7018 AT&T WorldNet Servic
13317 UNALLOCATED 12.44.10.0/24 7018 AT&T WorldNet Servic
23502 UNALLOCATED 12.44.44.0/24 7018 AT&T WorldNet Servic
17300 UNALLOCATED 12.45.103.0/24 7018 AT&T WorldNet Servic
17300 UNALLOCATED 12.45.110.0/24 701 UUNET Technologies,
Complete listing at http://thyme.rand.apnic.net/current/data-badAS
Prefixes from private and non-routed address space (Global)
-----------------------------------------------------------
Prefix Origin AS Description
128.0.0.0/21 12654 RIPE NCC RIS Project
128.0.24.0/24 12654 RIPE NCC RIS Project
Complete listing at http://thyme.rand.apnic.net/current/data-dsua
Advertised Unallocated Addresses
--------------------------------
Network Origin AS Description
14.192.0.0/22 45464 Room 201, TGU Bldg
14.192.4.0/22 45464 Room 201, TGU Bldg
14.192.8.0/22 45464 Room 201, TGU Bldg
14.192.12.0/22 45464 Room 201, TGU Bldg
14.192.16.0/22 45464 Room 201, TGU Bldg
14.192.20.0/22 45464 Room 201, TGU Bldg
14.192.24.0/22 45464 Room 201, TGU Bldg
14.192.28.0/22 45464 Room 201, TGU Bldg
23.27.0.0/20 54500 EGIHosting
23.27.16.0/20 54500 EGIHosting
Complete listing at http://thyme.rand.apnic.net/current/data-add-IANA
Number of prefixes announced per prefix length (Global)
-------------------------------------------------------
/1:0 /2:0 /3:0 /4:0 /5:0 /6:0
/7:0 /8:19 /9:12 /10:28 /11:81 /12:235
/13:457 /14:833 /15:1482 /16:12185 /17:6278 /18:10478
/19:20577 /20:28760 /21:29730 /22:40327 /23:37561 /24:211199
/25:1192 /26:1432 /27:797 /28:170 /29:60 /30:17
/31:0 /32:19
Advertised prefixes smaller than registry allocations
-----------------------------------------------------
ASN No of nets Total ann. Description
7029 3039 3379 Windstream Communications Inc
6389 2095 3379 bellsouth.net, inc.
18566 2041 2092 Covad Communications
8402 1769 1792 Corbina telecom
10620 1707 1817 TVCABLE BOGOTA
30036 1359 1415 Mediacom Communications Corp
11492 1147 1184 Cable One
6503 1118 1348 AVANTEL, S.A.
8452 1102 1294 TEDATA
1785 1067 1889 PaeTec Communications, Inc.
Complete listing at http://thyme.rand.apnic.net/current/data-sXXas-nos
Number of /24s announced per /8 block (Global)
----------------------------------------------
1:531 2:755 4:14 6:3 8:394 12:1987
13:1 14:605 15:12 16:3 17:7 20:8
23:160 24:1754 27:1257 31:936 32:58 33:2
34:2 36:8 37:313 38:790 40:120 41:3086
42:129 44:3 46:1454 47:3 49:343 50:535
52:13 54:6 55:11 56:3 57:32 58:966
59:495 60:278 61:1202 62:972 63:1996 64:4198
65:2274 66:4497 67:2022 68:1146 69:3184 70:910
71:465 72:1817 74:2591 75:493 76:317 77:959
78:1007 79:498 80:1210 81:897 82:666 83:548
84:513 85:1205 86:408 87:900 88:342 89:1623
90:297 91:4657 92:516 93:1376 94:1461 95:1160
96:377 97:316 98:844 99:37 100:6 101:168
103:929 106:66 107:180 108:218 109:1275 110:759
111:901 112:445 113:593 114:652 115:780 116:908
117:724 118:907 119:1207 120:350 121:696 122:1665
123:1099 124:1363 125:1263 128:561 129:189 130:256
131:595 132:173 133:21 134:242 135:62 136:212
137:176 138:351 139:145 140:494 141:244 142:385
143:399 144:513 145:66 146:485 147:243 148:748
149:298 150:157 151:176 152:460 153:171 154:7
155:430 156:215 157:379 158:176 159:525 160:343
161:248 162:343 163:190 164:555 165:391 166:562
167:464 168:819 169:127 170:844 171:124 172:4
173:1721 174:582 175:436 176:437 177:619 178:1310
180:1199 181:73 182:777 183:279 184:445 185:1
186:2136 187:1006 188:1158 189:1688 190:5498 192:5996
193:5608 194:4622 195:3589 196:1292 197:123 198:3617
199:4487 200:5805 201:1901 202:8463 203:8589 204:4342
205:2476 206:2752 207:2781 208:4053 209:3599 210:2764
211:1471 212:2008 213:1908 214:876 215:109 216:5079
217:1524 218:537 219:324 220:1228 221:557 222:325
223:329
End of report
10 years, 3 months
- 1
- 0
Cisco Security Advisory: Cisco IOS Software Command Authorization Bypass
by Cisco Systems Product Security Incident Response Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS Software Command Authorization Bypass
Advisory ID: cisco-sa-20120328-pai
Revision 1.0
For Public Release 2012 March 28 16:00 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
A vulnerability exists in the Cisco IOS Software that may allow a
remote application or device to exceed its authorization level when
authentication, authorization, and accounting (AAA) authorization is
used. This vulnerability requires that the HTTP or HTTPS server is
enabled on the Cisco IOS device.
Products that are not running Cisco IOS Software are not vulnerable.
Cisco has released free software updates that address these
vulnerabilities.
The HTTP server may be disabled as a workaround for the vulnerability
described in this advisory.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Note: The March 28, 2012, Cisco IOS Software Security Advisory
bundled publication includes nine Cisco Security Advisories. Each
advisory lists the Cisco IOS Software releases that correct the
vulnerability or vulnerabilities detailed in the advisory as well as
the Cisco IOS Software releases that correct all vulnerabilities in
the March 2012 bundled publication.
Individual publication links are in "Cisco Event Response:
Semi-Annual Cisco IOS Software Security Advisory Bundled Publication"
at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
Affected Products
=================
Vulnerable Products
+------------------
Any device running Cisco IOS Software release after 12.2 that has an
HTTP or HTTPS server configured is affected by this vulnerability if
AAA authorization is used.
To determine if an HTTP or HTTP server is configured with an HTTP or
HTTPS server, issue the show ip http server status | include status
command. The following example illustrates a Cisco IOS device with an
HTTPS server enabled and the HTTP server disabled.
Router> show ip http server status | include status
HTTP server status: Disabled
HTTP secure server status: Enabled
To determine if AAA authorization is used, an administrator can log
in to the device and issue the show run | include aaa authorization
command in privileged EXEC mode. If there is an entry that shows aaa
authorization commands, as shown in the following example, then AAA
authorization is configured.
Router# show run | include aaa authorization commands
aaa authorization commands 0 default local group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default local
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 15.0(1)M1 with an installed image name of
C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS and NX-OS
Software Reference Guide" at:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Products Confirmed Not Vulnerable
+--------------------------------
If you are not running Cisco IOS or IOS XE software, you are not
affected by this vulnerability. Devices that are not using AAA
authorization or that do not have an HTTP or HTTPS server configured
are not affected by this vulnerability.
Cisco IOS XR is not affected by this vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Cisco IOS allows remote applications to administer and monitor
devices running Cisco IOS Software over an HTTP or HTTPS connection.
A vulnerability exists that may allow the Cisco IOS command
authorization to be bypassed, allowing a remote, authenticated HTTP
or HTTPS session to execute any Cisco IOS command that is configured
for their authorization level. This vulnerability does not allow
unauthenticated access; a valid username and password are required to
successfully exploit this vulnerability. Additionally, the
vulnerability does not allow a user to execute commands that are not
configured for their privilege level.
The HTTP server is enabled by default for cluster configurations and
on the following Cisco switches: Catalyst 3700 series, Catalyst 3750
series, Catalyst 3550 series, Catalyst 3560 series, and Catalyst 2950
series.
More information on AAA authorization can be found at:
http://www.cisco.com/en/US/docs/ios/12_2t/secure/command/reference/sftauth.…
Releases of Cisco IOS Software after release 12.2 are potentially
vulnerable. Please refer to the release table below for more
information.
This vulnerability is documented as Cisco Bug ID CSCtr91106
and has been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2012-0384.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerability in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* Command Authorization Fails for commands delivered over HTTP
CVSS Base Score - 8.5
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may allow the Cisco IOS
command authorization to be bypassed, allowing a remote,
authenticated HTTP or HTTPS session to execute any Cisco IOS command
that is configured for its authorization level.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt and review subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release column. The First Fixed Release for All Advisories in the
March 2012 Bundled Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco
IOS Software Security Advisory bundled publication. Cisco recommends
upgrading to the latest available release, where possible.
The Cisco IOS Software Checker allows customers to search for Cisco
Security Advisories that address specific Cisco IOS Software
releases. This tool is available on the Cisco Security Intelligence
Operations (SIO) portal at:
http://tools.cisco.com/security/center/selectIOSVersion.x
+------------------------------------------+
| Major | Availability of |
| Release | Repaired Releases |
|------------+-----------------------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.0-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------------------------------------|
| There are no affected 12.0 based |
| releases |
|------------------------------------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.2-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2 | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2B | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2BC | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2BW | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2BX | Not | First fixed |
| | vulnerable | in Release |
| | | 12.2SB |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2BY | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2BZ | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2CX | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2CY | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2CZ | Not | First fixed |
| | vulnerable | in Release |
| | | 12.0S |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2DA | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2DD | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2DX | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2EU | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | |
| | contact your | |
| | support | |
| | organization | Vulnerable; |
| | per the | contact your |
| | instructions | support |
| | in Obtaining | organization |
| | Fixed | per the |
| 12.2EW | Software | instructions |
| | section of | in Obtaining |
| | this | Fixed |
| | advisory. | Software |
| | Releases up | section of |
| | to and | this |
| | including | advisory. |
| | 12.2(20)EWA4 | |
| | are not | |
| | vulnerable. | |
|------------+--------------+--------------|
| | Vulnerable; | |
| | contact your | |
| | support | |
| | organization | Vulnerable; |
| | per the | contact your |
| | instructions | support |
| | in Obtaining | organization |
| | Fixed | per the |
| 12.2EWA | Software | instructions |
| | section of | in Obtaining |
| | this | Fixed |
| | advisory. | Software |
| | Releases up | section of |
| | to and | this |
| | including | advisory. |
| | 12.2(20)EWA4 | |
| | are not | |
| | vulnerable. | |
|------------+--------------+--------------|
| | Vulnerable; | |
| | First fixed | |
| | in Release | |
| | 15.0SE | Vulnerable; |
| 12.2EX | Releases up | First fixed |
| | to and | in Release |
| | including | 15.0SE |
| | 12.2(25)EX1 | |
| | are not | |
| | vulnerable. | |
|------------+--------------+--------------|
| 12.2EY | 12.2(52)EY4 | 12.2(52)EY4 |
| | 12.2(58)EY2 | |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2EZ | First fixed | First fixed |
| | in Release | in Release |
| | 15.0SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2FX | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2FY | First fixed | First fixed |
| | in Release | in Release |
| | 15.0SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2FZ | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2IRA | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2IRB | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2IRC | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2IRD | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2IRE | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2IRF | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.2IRG | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IRH | 12.2(33)IRH1 | instructions |
| | | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXB | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXD | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXE | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXF | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXG | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2IXH | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| 12.2JA | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| 12.2JK | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2MB | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2MC | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2MRA | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.2MRB | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | | Releases |
| | | prior to |
| | | 12.2(30)S |
| | | are |
| | | vulnerable; |
| | Not | Releases |
| 12.2S | vulnerable | 12.2(30)S |
| | | and later |
| | | are not |
| | | vulnerable. |
| | | First fixed |
| | | in Release |
| | | 12.0S |
|------------+--------------+--------------|
| 12.2SB | 12.2(33)SB12 | 12.2(33)SB12 |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2SBC | Not | First fixed |
| | vulnerable | in Release |
| | | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SCA | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SCE | 12.2SCE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SCB | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SCE | 12.2SCE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SCC | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SCE | 12.2SCE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SCD | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SCE | 12.2SCE |
|------------+--------------+--------------|
| 12.2SCE | 12.2(33)SCE5 | 12.2(33)SCE6 |
|------------+--------------+--------------|
| 12.2SCF | 12.2(33)SCF2 | 12.2(33)SCF2 |
|------------+--------------+--------------|
| | | |
| 12.2SE | 12.2(55)SE5 | 12.2(55)SE5 |
| | | * |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SEA | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SEB | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SEC | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SED | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SEE | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SEF | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SE | 15.0SE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SEG | First fixed | First fixed |
| | in Release | in Release |
| | 15.0SE | 15.0SE |
|------------+--------------+--------------|
| | 12.2(53)SG7; | 12.2(53)SG7; |
| 12.2SG | Available on | Available on |
| | 07-MAY-12 | 07-MAY-12 |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | Vulnerable; | per the |
| 12.2SGA | First fixed | instructions |
| | in Release | in Obtaining |
| | 12.2SG | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| 12.2SL | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SM | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SO | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.2SQ | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SRA | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SRB | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2SRC | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SRD | 12.2SRE |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2SRD | 12.2(33)SRD8 | First fixed |
| | | in Release |
| | | 12.2SRE |
|------------+--------------+--------------|
| 12.2SRE | 12.2(33)SRE6 | 12.2(33)SRE6 |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.2STE | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2SU | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Releases up |
| | | to and |
| 12.2SV | Not | including |
| | vulnerable | 12.2(18)SV2 |
| | | are not |
| | | vulnerable. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SVA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SVC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SVD | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SVE | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2SW | Not | First fixed |
| | vulnerable | in Release |
| | | 12.4T |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SX | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SXA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SXB | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SXD | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SXE | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2SXF | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.2SXH | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 12.2SXI | 12.2(33)SXI9 | 12.2(33)SXI9 |
|------------+--------------+--------------|
| 12.2SXJ | 12.2(33)SXJ2 | 12.2(33)SXJ2 |
|------------+--------------+--------------|
| | 12.2(50)SY2; | |
| | Available on | |
| | 11-JUN-12 | |
| | Releases up | 12.2(50)SY2; |
| 12.2SY | to and | Available on |
| | including | 11-JUN-12 |
| | 12.2(14)SY5 | |
| | are not | |
| | vulnerable. | |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2SZ | Not | First fixed |
| | vulnerable | in Release |
| | | 12.0S |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2T | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2TPC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XA | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XB | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XC | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XD | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XE | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XF | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XG | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XH | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XI | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XJ | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XK | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XL | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XM | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Please see | Please see |
| 12.2XNA | Cisco IOS-XE | Cisco IOS-XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | Please see | Please see |
| 12.2XNB | Cisco IOS-XE | Cisco IOS-XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | Please see | Please see |
| 12.2XNC | Cisco IOS-XE | Cisco IOS-XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | Please see | Please see |
| 12.2XND | Cisco IOS-XE | Cisco IOS-XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | Please see | Please see |
| 12.2XNE | Cisco IOS-XE | Cisco IOS-XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | Please see | Please see |
| 12.2XNF | Cisco IOS-XE | Cisco IOS-XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | Vulnerable; | per the |
| 12.2XO | First fixed | instructions |
| | in Release | in Obtaining |
| | 12.2SG | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XQ | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Releases |
| | | prior to |
| | | 12.2(15)XR |
| | | are |
| | | vulnerable; |
| | Not | Releases |
| 12.2XR | vulnerable | 12.2(15)XR |
| | | and later |
| | | are not |
| | | vulnerable. |
| | | First fixed |
| | | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XS | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XT | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XU | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XV | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2XW | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2YA | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YD | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YE | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YK | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YO | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | First fixed |
| | | in Release |
| | | 15.0M |
| 12.2YP | Not | Releases up |
| | vulnerable | to and |
| | | including |
| | | 12.2(8)YP |
| | | are not |
| | | vulnerable. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YT | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YW | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YX | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YY | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2YZ | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZB | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZD | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2ZE | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.2ZH | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZJ | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZP | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZU | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.2ZX | Not | First fixed |
| | vulnerable | in Release |
| | | 12.2SRE |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZY | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.2ZYA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.3-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3 | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3B | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3BC | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SCE | 12.2SCE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3BW | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3JA | First fixed | First fixed |
| | in Release | in Release |
| | 12.4JA | 12.4JA |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3JEA | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3JEB | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3JEC | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3JED | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3JK | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3JL | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 12.3JX | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3T | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3TPC | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 12.3VA | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XA | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3XB | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XC | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XD | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XE | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3XF | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XG | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XI | First fixed | First fixed |
| | in Release | in Release |
| | 12.2SB | 12.2SRE |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XJ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XK | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XL | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XQ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XR | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XU | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 12.4T |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XW | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XX | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XY | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3XZ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4 | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YD | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YF | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YG | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YI | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YJ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YK | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YM | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YQ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YS | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YT | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YU | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3YX | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.3YZ | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.3ZA | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.4-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| | 12.4(25g); | Vulnerable; |
| 12.4 | Available on | First fixed |
| | 19-SEP-12 | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4GC | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | 12.4(23c)JA4 | |
| | 12.4(25d) | 12.4(23c) |
| 12.4JA | JA2; | JA412.4(25e) |
| | Available on | JA |
| | 01-AUG-12 | |
| | 12.4(25e)JA | |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4JAX | First fixed | First fixed |
| | in Release | in Release |
| | 12.4JA | 12.4JA |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JDA | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JDC | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JDD | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JDE | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JHA | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JHB | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JHC | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JK | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4JL | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4JX | First fixed | First fixed |
| | in Release | in Release |
| | 12.4JA | 12.4JA |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4JY | First fixed | First fixed |
| | in Release | in Release |
| | 12.4JA | 12.4JA |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4JZ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4JA | 12.4JA |
|------------+--------------+--------------|
| | 12.4(22)MD3; | 12.4(22)MD3; |
| 12.4MD | Available on | Available on |
| | 30-MAR-12 | 30-MAR-12 |
|------------+--------------+--------------|
| 12.4MDA | 12.4(24) | 12.4(24) |
| | MDA11 | MDA11 |
|------------+--------------+--------------|
| 12.4MDB | 12.4(24) | 12.4(24) |
| | MDB5a | MDB5a |
|------------+--------------+--------------|
| 12.4MDC | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4MR | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4MRA | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4MRB | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4SW | 12.4(15)SW8a | First fixed |
| | | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | 12.4(15)T17 | 12.4(15)T17 |
| 12.4T | 12.4(24)T7 | 12.4(24)T7 |
| | | |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XA | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XB | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 12.4T |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XC | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XD | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XE | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XF | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XG | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XJ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XK | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4XL | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XM | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4XN | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4XP | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XQ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XR | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 12.4T |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XT | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4XV | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XW | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XY | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XZ | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4YA | First fixed | First fixed |
| | in Release | in Release |
| | 12.4T | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4YB | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4YD | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 12.4YE | 12.4(24)YE3d | 12.4(24)YE3d |
|------------+--------------+--------------|
| 12.4YG | 12.4(24)YG4 | 12.4(24)YG4 |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 15.0-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| 15.0M | 15.0(1)M8 | 15.0(1)M8 |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 15.0MR | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 15.0MRA | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | 15.0(1)S5 | 15.0(1)S5 |
| | Cisco IOS XE | Cisco IOS XE |
| | devices: | devices: |
| 15.0S | Please see | Please see |
| | Cisco IOS XE | Cisco IOS XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| 15.0SA | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | 15.0(1)SE1 | |
| 15.0SE | 15.0(2)SE; | 15.0(1)SE1 |
| | Available on | |
| | 06-AUG-12 | |
|------------+--------------+--------------|
| | 15.0(2)SG2 | 15.0(2)SG2 |
| | Cisco IOS XE | Cisco IOS XE |
| | devices: | devices: |
| 15.0SG | Please see | Please see |
| | Cisco IOS XE | Cisco IOS XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| 15.0SY | 15.0(1)SY1 | 15.0(1)SY1 |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 15.0XA | First fixed | First fixed |
| | in Release | in Release |
| | 15.1T | 15.1T |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | First fixed | First fixed |
| | in Release | in Release |
| | 15.0SG Cisco | 15.0SG Cisco |
| 15.0XO | IOS XE | IOS XE |
| | devices: | devices: |
| | Please see | Please see |
| | Cisco IOS XE | Cisco IOS XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 15.1-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| 15.1EY | 15.1(2)EY1a | 15.1(2)EY2 |
|------------+--------------+--------------|
| 15.1GC | 15.1(2)GC2 | 15.1(2)GC2 |
|------------+--------------+--------------|
| | 15.1(4)M2 | 15.1(4)M4; |
| 15.1M | | Available on |
| | | 30-MAR-12 |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 15.1MR | 15.1(1)MR3 | instructions |
| | | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | 15.1(3)S2 | 15.1(3)S2 |
| | Cisco IOS XE | Cisco IOS XE |
| | devices: | devices: |
| 15.1S | Please see | Please see |
| | Cisco IOS XE | Cisco IOS XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| 15.1SG | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 15.1SNG | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 15.1SNH | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | 15.1(1)T4 | |
| | 15.1(2)T5; | |
| 15.1T | Available on | 15.1(3)T3 |
| | 27-APR-12 | |
| | 15.1(3)T3 | |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 15.1XB | First fixed | First fixed |
| | in Release | in Release |
| | 15.1T | 15.1T |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 15.2-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| 15.2GC | 15.2(1)GC1 | 15.2(1)GC2 |
|------------+--------------+--------------|
| | 15.2(1)S1 | 15.2(1)S1 |
| | Cisco IOS XE | Cisco IOS XE |
| | devices: | devices: |
| 15.2S | Please see | Please see |
| | Cisco IOS XE | Cisco IOS XE |
| | Software | Software |
| | Availability | Availability |
|------------+--------------+--------------|
| | | 15.2(1) |
| | 15.2(1)T1 | T215.2(2) |
| 15.2T | 15.2(2)T | T115.2(3)T; |
| | 15.2(2)T1 | Available on |
| | | 30-MAR-12 |
+------------------------------------------+
* Cisco Catalyst 3550 Series Switches support the Internet Key
Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429
when the devices are running Layer 3 images; however, this product
reached the End of Software Maintenance milestone. Cisco 3550 Series
SMI Switches that are running Layer 2 images do not support IKE and
are not vulnerable. No other Cisco devices that run 12.2SE-based
software are vulnerable.
Cisco IOS XE Software
+--------------------
Cisco IOS XE Software is affected by the vulnerability that is
disclosed in this document.
+---------------------------------------+
| | | First Fixed |
| | | Release for |
| | | All |
| Cisco | | Advisories |
| IOS XE | First Fixed | in the March |
| Software | Release | 2012 Cisco |
| Release | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.1.x | migrate to | migrate to |
| | 3.1.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.2.x | migrate to | migrate to |
| | 3.1.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.3.x | migrate to | migrate to |
| | 3.1.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.4.x | migrate to | migrate to |
| | 3.1.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.5.x | migrate to | migrate to |
| | 3.1.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 2.6.x | migrate to | migrate to |
| | 3.1.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| | | Vulnerable; |
| 3.1.xS | 3.1.2S | migrate to |
| | | 3.4.2S or |
| | | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 3.1.xSG | migrate to | migrate to |
| | 3.2.2SG or | 3.2.2SG or |
| | later. | later. |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 3.2.xS | migrate to | migrate to |
| | 3.4.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| 3.2.xSG | 3.2.2SG | 3.2.2SG |
|----------+-------------+--------------|
| | Vulnerable; | Vulnerable; |
| 3.3.xS | migrate to | migrate to |
| | 3.4.2S or | 3.4.2S or |
| | later. | later. |
|----------+-------------+--------------|
| 3.2.xSG | Not | Not |
| | vulnerable | vulnerable |
|----------+-------------+--------------|
| 3.4.xS | 3.4.2S | 3.4.2S |
|----------+-------------+--------------|
| 3.5.xS | 3.5.1S | 3.5.1S |
|----------+-------------+--------------|
| 3.6.xS | Not | Not |
| | vulnerable | vulnerable |
+---------------------------------------+
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, and Cisco IOS XE 3SG Release Notes.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by any of the vulnerabilities
disclosed in the March 2012 Cisco IOS Software Security Advisory
Bundled Publication.
Workarounds
===========
If the HTTP and HTTPS servers are not required, they may be disabled
with the commands no ip http server and no ip http secure-server.
However, if web services are required, a feature was introduced in
12.3(14)T and later in which selective HTTP and HTTPS services could
be enabled or disabled. The WEB_EXEC service provides a facility to
configure the device and retrieve the current state of the device
from remote clients.
It is possible to disable the WEB_EXEC service while still leaving
other HTTP services active. If an installation does not require the
use of the WEB_EXEC service, then it may be disabled using the
following procedure:
1. Verify the list of all session modules.
Router# show ip http server session-module
HTTP server application session modules:
Session module Name Handle Status Secure-status Description
HTTP_IFS 1 Active Active HTTP based IOS File Server
HOME_PAGE 2 Active Active IOS Homepage Server
QDM 3 Active Active QOS Device Manager Server
QDM_SA 4 Active Active QOS Device Manager Signed Applet Server
WEB_EXEC 5 Active Active HTTP based IOS EXEC Server
IXI 6 Active Active IOS XML Infra Application Server
IDCONF 7 Active Active IDCONF HTTP(S) Server
XSM 8 Active Active XML Session Manager
VDM 9 Active Active VPN Device Manager Server
XML_Api 10 Active Active XML Api
ITS 11 Active Active IOS Telephony Service
ITS_LOCDIR 12 Active Active ITS Local Directory Search
CME_SERVICE_URL 13 Active Active CME Service URL
CME_AUTH_SRV_LOGIN 14 Active Active CME Authentication Server
IPS_SDEE 15 Active Active IOS IPS SDEE Server
tti-petitioner 16 Active Active TTI Petitioner
2. Create a list of session modules that are required, in this
example it would be everything other than WEB_EXEC.
Router# configuration terminal
Router(config)# ip http session-module-list exclude_webexec
HTTP_IFS,HOME_PAGE,QDM,QDM_SA,IXI,IDCONF,XSM,VDM,XML_Api,
ITS,ITS_LOCDIR,CME_SERVICE_URL,CME_AUTH_SRV_LOGIN,IPS_SDEE,tti-petitioner
3. Selectively enable HTTP/HTTPS applications that will service
incoming HTTP requests from remote clients.
Router(config)# ip http active-session-modules exclude_webexec
Router(config)# ip http secure-active-session-modules exclude_webexec
Router(config)# exit
4. Verify the list of all session modules, and ensure WEB_EXEC is
not active.
Router# show ip http server session-module
HTTP server application session modules:
Session module Name Handle Status Secure-status Description
HTTP_IFS 1 Active Active HTTP based IOS File Server
HOME_PAGE 2 Active Active IOS Homepage Server
QDM 3 Active Active QOS Device Manager Server
QDM_SA 4 Active Active QOS Device Manager Signed Applet Server
WEB_EXEC 5 Inactive Inactive HTTP based IOS EXEC Server
IXI 6 Active Active IOS XML Infra Application Server
IDCONF 7 Active Active IDCONF HTTP(S) Server
XSM 8 Active Active XML Session Manager
VDM 9 Active Active VPN Device Manager Server
XML_Api 10 Active Active XML Api
ITS 11 Active Active IOS Telephony Service
ITS_LOCDIR 12 Active Active ITS Local Directory Search
CME_SERVICE_URL 13 Active Active CME Service URL
CME_AUTH_SRV_LOGIN 14 Active Active CME Authentication Server
IPS_SDEE 15 Active Active IOS IPS SDEE Server
tti-petitioner 16 Active Active TTI Petitioner
For further information on the selective enabling of applications
using an HTTP or secure HTTP server, consult the Cisco IOS network
management configuration guide, release 12.4T, at:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_http_app…
If the HTTP server and WEB_EXEC service are required, it is a
recommended best practice to limit which hosts may access the HTTP
server to allow only trusted sources. An access list can be applied
to the HTTP server to limit which hosts are permitted access. To
apply an access list to the HTTP server, use the following command in
global configuration mode: ip http access-class {access-list-number |
access-list-name}.
The following example shows an access list that allows only trusted
hosts to access the Cisco IOS HTTP server:
ip access-list standard 20
permit 192.168.1.0 0.0.0.255
remark "Above is a trusted subnet"
remark "Add further trusted subnets or hosts below"
! (Note: all other access implicitly denied)
! (Apply the access-list to the http server)
ip http access-class 20
For additional information on configuring the Cisco IOS HTTP server,
consult Using the Cisco Web Browser User Interface.
Obtaining Fixed Software
========================
Cisco has released free software updates that addresses the
vulnerability described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance
providers or check the software for feature set compatibility and
known issues that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerability that is described in this advisory.
This vulnerability was reported to Cisco TAC by customers observing
the vulnerability during the normal operation of their devices.
Status of This Notice: Final
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2012-March-28 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This web page includes instructions for press inquiries regarding
Cisco Security Advisories.
All Cisco Security Advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFPcfB+QXnnBKKRMNARCG0KAP98319EAgChMCfxp4K0GXiscRX+fBEv/3NF
+CJDx7WA5gD+IcSwDBmEjesJmNj3GyxbjQ9f1WX7jFpUvy81HYDOqko=
=vGZr
-----END PGP SIGNATURE-----
10 years, 3 months
- 1
- 0
Cisco Security Advisory: Cisco IOS Internet Key Exchange Vulnerability
by Cisco Systems Product Security Incident Response Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS Internet Key Exchange Vulnerability
Advisory ID: cisco-sa-20120328-ike
Revision 1.0
For Public Release 2012 March 28 16:00 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
The Cisco IOS Software Internet Key Exchange (IKE) feature contains a
denial of service (DoS) vulnerability.
Cisco has released free software updates that address this
vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Note: The March 28, 2012, Cisco IOS Software Security Advisory
bundled publication includes nine Cisco Security Advisories. Each
advisory lists the Cisco IOS Software releases that correct the
vulnerability or vulnerabilities detailed in the advisory as well as
the Cisco IOS Software releases that correct all vulnerabilities in
the March 2012 bundled publication.
Individual publication links are in "Cisco Event Response:
Semi-Annual Cisco IOS Software Security Advisory Bundled Publication"
at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
Affected Products
=================
Vulnerable Products
+------------------
Cisco devices that are running Cisco IOS Software are vulnerable when
they are configured to use IKE version 1 (IKEv1).
A number of features use IKEv1, including different Virtual Private
Networks (VPN) such as:
* LAN-to-LAN VPN
* Remote access VPN (excluding SSLVPN)
* Dynamic Multipoint VPN (DMVPN)
* Group Domain of Interpretation (GDOI)
There are two methods to determine if a device is configured for IKE:
* Determine if IKE ports are open on a running device
* Determine if IKE features are included in the device
configuration
Determine if IKE Ports are Open on a Running Device
+--------------------------------------------------
The preferred method to determine if a device has been configured for
IKE is to issue the "show ip sockets" or "show udp" exec command. If the
device has UDP port 500, UDP port 4500, UDP port 848, or UDP port 4848
open, it is processing IKE packets.
In the following example, the device is processing IKE packets in UDP
port 500 and UDP port 4500, using either IPv4 or IPv6:
router# show udp
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 192.168.130.21 500 0 0 1001011 0
17(v6) --listen-- UNKNOWN 500 0 0 1020011 0
17 --listen-- 192.168.130.21 4500 0 0 1001011 0
17(v6) --listen-- UNKNOWN 4500 0 0 1020011 0
!--- Output truncated
router#
Determine if IKE Features are included in the Device Configuration
+-----------------------------------------------------------------
To determine if a Cisco IOS device configuration is vulnerable,
the administrator needs to establish whether there is at least one
configured feature that uses IKE. This can be achieved by using the
"show run | include crypto map|tunnel protection ipsec|crypto gdoi"
enable mode command. If the output of this command contains either
crypto map, tunnel protection ipsec, or, crypto gdoi then the device
contains an IKE configuration. The following example shows a device that
has been configured for IKE:
router# show run | include crypto map|tunnel protection ipsec|crypto gdoi
crypto map CM 100 ipsec-isakmp
crypto map CM
router#
Determine the Cisco IOS Software Release
+---------------------------------------
To determine the Cisco IOS Software release that is running on a Cisco
product, administrators can log in to the device and issue the "show
version" command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or "Cisco
IOS Software." The image name displays in parentheses, followed by
"Version" and the Cisco IOS Software release name. Other Cisco devices
do not have the "show version" command or may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 15.0(1)M1 with an installed image name of
C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS and NX-OS
Software Reference Guide" at:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Products Confirmed Not Vulnerable
+--------------------------------
Cisco ASA 5500 Series Adaptive Security Appliance is not affected by
this vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
The IKE protocol is used in the Internet Protocol Security (IPsec)
protocol suite to negotiate cryptographic attributes that will be
used to encrypt or authenticate the communication session. These
attributes include cryptographic algorithm, mode, and shared keys.
The end result of IKE is a shared session secret that will be used to
derive cryptographic keys.
Cisco IOS Software supports IKE for IPv4 and IPv6 communications.
IKE communication can use any of the following UDP ports:
* UDP port 500
* UDP port 4500, NAT Traversal (NAT-T)
* UDP port 848, Group Domain of Interpretation (GDOI)
* UDP port 4848, GDOI NAT-T
The IKEv1 feature of Cisco IOS Software contains a vulnerability that
could allow an unauthenticated, remote attacker to cause a reload of
an affected device.
An attacker could exploit this vulnerability using either IPv4 or
IPv6 on any of the listed UDP ports. Spoofing of packets that could
exploit this vulnerability is limited because the attacker needs to
either receive or have access to the initial response from the
vulnerable device.
This vulnerability is documented in Cisco bug ID CSCts38429 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0381.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCts38429 ("Cisco IOS Software IKE DoS vulnerability")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may cause the vulnerable
device to reload.
Software Versions and Fixes
===========================
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release column. The First Fixed Release for All Advisories in the
March 2012 Bundled Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco
IOS Software Security Advisory bundled publication. Cisco recommends
upgrading to the latest available release, where possible.
The Cisco IOS Software Checker allows customers to search for Cisco
Security Advisories that address specific Cisco IOS Software
releases. This tool is available on the Cisco Security Intelligence
Operations (SIO) portal at:
http://tools.cisco.com/security/center/selectIOSVersion.x
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+--------------------------------------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|12.0-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|12.2-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|----------+----------------------------+---------------------------|
|12.2 |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; First fixed in | |
| |Release 15.0M |Vulnerable; First fixed in |
|12.2B |Releases up to and including|Release 15.0M |
| |12.2(2)B7 are not | |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
| |Vulnerable; First fixed in | |
| |Release 15.0M |Vulnerable; First fixed in |
|12.2BC |Releases up to and including|Release 15.0M |
| |12.2(4)BC1b are not | |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
|12.2BW |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; First fixed in | |
| |Release 12.2SRE |Vulnerable; First fixed in |
|12.2BX |Releases up to and including|Release 12.2SB |
| |12.2(2)BX1 are not | |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
| |Vulnerable; First fixed in | |
| |Release 15.0M |Vulnerable; First fixed in |
|12.2BY |Releases up to and including|Release 15.0M |
| |12.2(2)BY3 are not | |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
| |Vulnerable; First fixed in | |
| |Release 15.0M |Vulnerable; First fixed in |
|12.2BZ |Releases up to and including|Release 15.0M |
| |12.2(4)BZ2 are not | |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
|12.2CX |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2CY |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2CZ |Vulnerable; migrate to any |Vulnerable; First fixed in |
| |release in 12.0S |Release 12.0S |
|----------+----------------------------+---------------------------|
|12.2DA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2DD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2DX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2EU |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2EW |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2EWA |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2EX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2EY |Not vulnerable |12.2(52)EY4 |
|----------+----------------------------+---------------------------|
|12.2EZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2FX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2FY |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2FZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2IRA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2IRB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2IRC |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2IRD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2IRE |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2IRF |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IRG |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IRH |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXA |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXB |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXC |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXD |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXE |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXF |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXG |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2IXH |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2JA |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
|12.2JK |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
|12.2MB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2MC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2MRA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2MRB |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Note: Releases prior to 12.2|Releases prior to 12.2(30)S|
| |(25)S1 are vulnerable; |are vulnerable; Releases |
|12.2S |Releases 12.2(25)S1 and |12.2(30)S and later are not|
| |later are not vulnerable. |vulnerable. First fixed in |
| | |Release 12.0S |
|----------+----------------------------+---------------------------|
| |Only releases 12.2(33)SB1 | |
|12.2SB |through 12.2(33)SB4 are |12.2(33)SB12 |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
|12.2SBC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2SCA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SCE |Release 12.2SCE |
|----------+----------------------------+---------------------------|
|12.2SCB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SCE |Release 12.2SCE |
|----------+----------------------------+---------------------------|
|12.2SCC |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SCE |Release 12.2SCE |
|----------+----------------------------+---------------------------|
|12.2SCD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SCE |Release 12.2SCE |
|----------+----------------------------+---------------------------|
|12.2SCE |12.2(33)SCE6 |12.2(33)SCE6 |
|----------+----------------------------+---------------------------|
|12.2SCF |12.2(33)SCF2 |12.2(33)SCF2 |
|----------+----------------------------+---------------------------|
|12.2SE |Not vulnerable* | |
| | |12.2(55)SE5 * |
|----------+----------------------------+---------------------------|
|12.2SEA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SEB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SEC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SED |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SEE |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SEF |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SEG |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0SE |
|----------+----------------------------+---------------------------|
|12.2SG |Not vulnerable |12.2(53)SG7; Available on |
| | |07-MAY-12 |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SGA |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2SL |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SM |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SO |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SQ |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2SRA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2SRB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2SRC |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRD |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2SRD |12.2(33)SRD8 |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.2SRE |12.2(33)SRE6 |12.2(33)SRE6 |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2STE |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2SU |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| | |Releases up to and |
|12.2SV |Not vulnerable |including 12.2(18)SV2 are |
| | |not vulnerable. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SVA |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SVC |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SVD |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2SVE |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Releases up to and including| |
| |12.2(21)SW1 are not | |
|12.2SW |vulnerable. |Vulnerable; First fixed in |
| |Releases 12.2(25)SW10 and |Release 12.4T |
| |later are not vulnerable. | |
| |First fixed in Release 12.4T| |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SX |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SXA |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SXB |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SXD |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SXE |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SXF |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2SXH |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2SXI |12.2(33)SXI9 |12.2(33)SXI9 |
|----------+----------------------------+---------------------------|
|12.2SXJ |12.2(33)SXJ2 |12.2(33)SXJ2 |
|----------+----------------------------+---------------------------|
|12.2SY |12.2(50)SY2; Available on |12.2(50)SY2; Available on |
| |11-JUN-12 |11-JUN-12 |
|----------+----------------------------+---------------------------|
|12.2SZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.0S |
|----------+----------------------------+---------------------------|
|12.2T |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2TPC |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2XA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XE |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XF |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XG |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XH |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XI |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XJ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XK |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XL |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XM |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XNA |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+----------------------------+---------------------------|
|12.2XNB |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+----------------------------+---------------------------|
|12.2XNC |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+----------------------------+---------------------------|
|12.2XND |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+----------------------------+---------------------------|
|12.2XNE |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+----------------------------+---------------------------|
|12.2XNF |Please see Cisco IOS-XE |Please see Cisco IOS-XE |
| |Software Availability |Software Availability |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2XO |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2XQ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| | |Releases prior to 12.2(15) |
| | |XR are vulnerable; Releases|
|12.2XR |Not vulnerable |12.2(15)XR and later are |
| | |not vulnerable. First fixed|
| | |in Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XS |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XT |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XU |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XV |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2XW |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2YA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YC |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YD |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YE |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2YK |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YO |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; First fixed in |
| | |Release 15.0M |
|12.2YP |Not vulnerable |Releases up to and |
| | |including 12.2(8)YP are not|
| | |vulnerable. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2YT |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YW |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YX |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YY |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2YZ |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2ZA |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| |Releases up to and including|support organization per |
|12.2ZB |12.2(8)ZB are not |the instructions in |
| |vulnerable. |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2ZC |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2ZD |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2ZE |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.2ZH |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2ZJ |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.2ZP |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2ZU |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.2ZX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.2SRE |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2ZY |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.2ZYA |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|12.3-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|----------+----------------------------+---------------------------|
|12.3 |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3B |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3BC |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SCE |Release 12.2SCE |
|----------+----------------------------+---------------------------|
|12.3BW |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3JA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.3JEA |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.3JEB |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.3JEC |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.3JED |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Releases up to and including| |
| |12.3(2)JK3 are not | |
|12.3JK |vulnerable. |Vulnerable; First fixed in |
| |Releases 12.3(8)JK1 and |Release 15.0M |
| |later are not vulnerable. | |
| |First fixed in Release 15.0M| |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.3JL |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.3JX |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
|12.3T |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.3TPC |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.3VA |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
|12.3XA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.3XB |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.3XC |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XE |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.3XF |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.3XG |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XI |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.2SRE |Release 12.2SRE |
|----------+----------------------------+---------------------------|
|12.3XJ |Vulnerable; migrate to any |Vulnerable; First fixed in |
| |release in 12.4XN |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XK |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XL |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XQ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XR |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; First fixed in | |
| |Release 12.4T |Vulnerable; First fixed in |
|12.3XU |Releases up to and including|Release 12.4T |
| |12.3(8)XU1 are not | |
| |vulnerable. | |
|----------+----------------------------+---------------------------|
|12.3XW |Vulnerable; migrate to any |Vulnerable; First fixed in |
| |release in 12.4XN |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XX |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XY |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3XZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YF |Vulnerable; migrate to any |Vulnerable; First fixed in |
| |release in 12.4XN |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YG |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YI |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YJ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YK |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YM |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YQ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YS |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YT |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YU |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.3YX |Vulnerable; migrate to any |Vulnerable; First fixed in |
| |release in 12.4XN |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.3YZ |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.3ZA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|12.4-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|----------+----------------------------+---------------------------|
|12.4 |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.0M |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.4GC |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4JA |Not vulnerable |12.4(23c)JA4 |
| | |12.4(25e)JA |
|----------+----------------------------+---------------------------|
|12.4JAX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JDA |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JDC |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JDD |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JDE |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JHA |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JHB |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JHC |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JK |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4JL |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4JX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+----------------------------+---------------------------|
|12.4JY |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+----------------------------+---------------------------|
|12.4JZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+----------------------------+---------------------------|
|12.4MD |12.4(22)MD3; Available on |12.4(22)MD3; Available on |
| |30-MAR-12 |30-MAR-12 |
|----------+----------------------------+---------------------------|
|12.4MDA |12.4(24)MDA11 |12.4(24)MDA11 |
|----------+----------------------------+---------------------------|
|12.4MDB |12.4(24)MDB5a |12.4(24)MDB5a |
|----------+----------------------------+---------------------------|
|12.4MDC |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| |Releases up to and including|support organization per |
|12.4MR |12.4(9)MR are not |the instructions in |
| |vulnerable. |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.4MRA |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4MRB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4SW |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
| |12.4(15)T17 |12.4(15)T17 |
|12.4T |12.4(24)T7 |12.4(24)T7 |
| | | |
|----------+----------------------------+---------------------------|
|12.4XA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Releases prior to 12.4(2) | |
| |XB12 are vulnerable; |Vulnerable; First fixed in |
|12.4XB |Releases 12.4(2)XB12 and |Release 12.4T |
| |later are not vulnerable. | |
| |First fixed in Release 12.4T| |
|----------+----------------------------+---------------------------|
|12.4XC |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XD |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XE |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XF |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XG |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XJ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XK |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4XL |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4XM |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+----------------------------+---------------------------|
| | |Vulnerable; contact your |
| | |support organization per |
|12.4XN |Not vulnerable |the instructions in |
| | |Obtaining Fixed Software |
| | |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.4XP |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4XQ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XR |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 12.4T |
|----------+----------------------------+---------------------------|
|12.4XT |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.4XV |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4XW |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XY |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4XZ |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
|12.4YA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 12.4T |Release 15.0M |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.4YB |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|12.4YD |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|12.4YE |12.4(24)YE3d |12.4(24)YE3d |
|----------+----------------------------+---------------------------|
|12.4YG |12.4(24)YG4 |12.4(24)YG4 |
|----------+----------------------------+---------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|15.0-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|----------+----------------------------+---------------------------|
|15.0M |15.0(1)M8 |15.0(1)M8 |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|15.0MR |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|15.0MRA |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |15.0(1)S5 |15.0(1)S5 |
|15.0S |Cisco IOS XE devices: Please|Cisco IOS XE devices: |
| |see Cisco IOS XE Software |Please see Cisco IOS XE |
| |Availability |Software Availability |
|----------+----------------------------+---------------------------|
|15.0SA |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
|15.0SE |Not vulnerable |15.0(1)SE1 |
|----------+----------------------------+---------------------------|
| |Not vulnerable |15.0(2)SG2 |
|15.0SG |Cisco IOS XE devices: Please|Cisco IOS XE devices: |
| |see Cisco IOS XE Software |Please see Cisco IOS XE |
| |Availability |Software Availability |
|----------+----------------------------+---------------------------|
|15.0SY |15.0(1)SY1 |15.0(1)SY1 |
|----------+----------------------------+---------------------------|
|15.0XA |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.1T |Release 15.1T |
|----------+----------------------------+---------------------------|
| |Cisco IOS XE devices: Please|Cisco IOS XE devices: |
|15.0XO |see Cisco IOS-XE Software |Please see Cisco IOS-XE |
| |Availability |Software Availability |
|----------+----------------------------+---------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|15.1-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|----------+----------------------------+---------------------------|
|15.1EY |Not vulnerable |15.1(2)EY2 |
|----------+----------------------------+---------------------------|
|15.1GC |15.1(2)GC2 |15.1(2)GC2 |
|----------+----------------------------+---------------------------|
|15.1M |15.1(4)M3 |15.1(4)M4; Available on |
| | |30-MAR-12 |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|15.1MR |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
| |15.1(3)S2 |15.1(3)S2 |
|15.1S |Cisco IOS XE devices: Please|Cisco IOS XE devices: |
| |see Cisco IOS XE Software |Please see Cisco IOS XE |
| |Availability |Software Availability |
|----------+----------------------------+---------------------------|
| |Not vulnerable |Not vulnerable |
|15.1SG |Cisco IOS XE devices: Please|Cisco IOS XE devices: |
| |see Cisco IOS XE Software |Please see Cisco IOS XE |
| |Availability |Software Availability |
|----------+----------------------------+---------------------------|
| |Vulnerable; contact your |Vulnerable; contact your |
| |support organization per the|support organization per |
|15.1SNG |instructions in Obtaining |the instructions in |
| |Fixed Software section of |Obtaining Fixed Software |
| |this advisory. |section of this advisory. |
|----------+----------------------------+---------------------------|
|15.1SNH |Not vulnerable |Not vulnerable |
|----------+----------------------------+---------------------------|
| |15.1(1)T5; Available on | |
| |18-MAY-12 | |
|15.1T |15.1(2)T5; Available on |15.1(3)T3 |
| |27-APR-12 | |
| |15.1(3)T3 | |
|----------+----------------------------+---------------------------|
|15.1XB |Vulnerable; First fixed in |Vulnerable; First fixed in |
| |Release 15.1T |Release 15.1T |
|----------+----------------------------+---------------------------|
| | |First Fixed Release for All|
| Affected | | Advisories in the March |
|15.2-Based| First Fixed Release | 2012 Cisco IOS Software |
| Releases | | Security Advisory Bundled |
| | | Publication |
|----------+----------------------------+---------------------------|
|15.2GC |15.2(1)GC2 |15.2(1)GC2 |
|----------+----------------------------+---------------------------|
| |15.2(1)S1 |15.2(1)S1 |
| | | |
|15.2S |Cisco IOS XE devices: Please|Cisco IOS XE devices: |
| |see Cisco IOS XE Software |Please see Cisco IOS XE |
| |Availability |Software Availability |
|----------+----------------------------+---------------------------|
| |15.2(1)T2 |15.2(1)T2 |
|15.2T |15.2(2)T1 |15.2(2)T1 |
| |15.2(3)T; Available on |15.2(3)T; Available on |
| |30-MAR-12 |30-MAR-12 |
+-------------------------------------------------------------------+
* Cisco Catalyst 3550 Series Switches support the Internet Key
Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429
when the devices are running Layer 3 images; however, this product
reached the End of Software Maintenance milestone. Cisco 3550 Series
SMI Switches that are running Layer 2 images do not support IKE and
are not vulnerable. No other Cisco devices that run 12.2SE-based
software are vulnerable.
Cisco IOS XE Software
+--------------------
+------------------------------------------------------------+
| Cisco IOS | | First Fixed Release for All |
| XE | First Fixed | Advisories in the March 2012 |
| Software | Release | Cisco IOS Software Security |
| Release | | Advisory Bundled Publication |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.1.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.2.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.3.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.4.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.5.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.6.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 3.1.xS | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| 3.1.xSG | Not | Vulnerable; migrate to 3.2.2SG |
| | vulnerable | or later. |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 3.2.xS | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| 3.2.xSG | 3.2.2SG | 3.2.2SG |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 3.3.xS | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.2S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| 3.3.xSG | Not | Not Vulnerable |
| | Vulnerable | |
|-----------+--------------+---------------------------------|
| 3.4.xS | 3.4.2S | 3.4.2S |
|-----------+--------------+---------------------------------|
| 3.5.xS | 3.5.1S | 3.5.1S |
|-----------+--------------+---------------------------------|
| 3.6.xS | Not | Not vulnerable |
| | vulnerable | |
+------------------------------------------------------------+
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, and Cisco IOS XE 3SG Release Notes.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by any of the vulnerabilities
disclosed in the March 2012 Cisco IOS Software Security Advisory
Bundled Publication.
Workarounds
===========
There are no workarounds for this vulnerability.
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerability described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance
providers or check the software for feature set compatibility and
known issues that are specific to their environments.
Customers may only install and expect support for feature
sets they have purchased. By installing, downloading,
accessing, or otherwise using such software upgrades, customers
agree to follow the terms of the Cisco software license at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as set forth at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be obtained
through the Software Center on Cisco.com at http://www.cisco.com.
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerability that is described in this advisory.
This vulnerability was found during internal Cisco testing.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2012-March-28 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco is available on Cisco.com at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.….
This web page includes instructions for press inquiries
regarding Cisco Security Advisories. All Cisco Security Advisories are
available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk9xNMgACgkQQXnnBKKRMND8jwD6AzE8IxsF7PzqGh9w75+OhEQ7
z3dm7J1xzgPKLxtI7R8A/1AXDWCmSXsfNHJjhTPmMeZ5kxiA+9AfvxkWJLWxDMZ2
=sT/L
-----END PGP SIGNATURE-----
10 years, 3 months
- 1
- 0
Cisco Security Advisory: Cisco IOS Software Multicast Source Discovery Protocol Vulnerability
by Cisco Systems Product Security Incident Response Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS Software Multicast Source Discovery
Protocol Vulnerability
Advisory ID: cisco-sa-20120328-msdp
Revision 1.0
For Public Release 2012 March 28 16:00 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
A vulnerability in the Multicast Source Discovery Protocol (MSDP)
implementation of Cisco IOS Software and Cisco IOS XE Software could
allow a remote, unauthenticated attacker to cause a reload of an
affected device. Repeated attempts to exploit this vulnerability could
result in a sustained denial of service (DoS) condition.
Cisco has released free software updates that address this
vulnerability. Workarounds that mitigate this vulnerability are
available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled
publication includes nine Cisco Security Advisories. Each advisory
lists the Cisco IOS Software releases that correct the vulnerability
or vulnerabilities detailed in the advisory as well as the Cisco IOS
Software releases that correct all vulnerabilities in the March 2012
bundled publication.
Individual publication links are in "Cisco Event Response: Semi-Annual
Cisco IOS Software Security Advisory Bundled Publication" at the
following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
Affected Products
=================
Vulnerable Products
+------------------
The following products are affected by this vulnerability:
+ Cisco IOS Software
+ Cisco IOS XE Software
To determine whether a Cisco IOS or Cisco IOS XE Software release is
running on a Cisco product, administrators can log in to the device
and issue the "show version" command to display the system banner.
The system banner confirms that the device is running Cisco IOS
Software by displaying text similar to "Cisco Internetwork Operating
System Software" or "Cisco IOS Software." The image name displays in
parentheses, followed by "Version" and the Cisco IOS Software release
name. Other Cisco devices do not have the "show version" command or may
provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
Additional information about Cisco IOS Software release naming
conventions is available in the White Paper: Cisco IOS and NX-OS
Software Reference Guide
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS XR Software is not affected by this vulnerability. No other
Cisco products are currently known to be affected by this vulnerability.
Details
=======
MSDP is the protocol used to connect multiple Protocol Independent
Multicast sparse mode (PIM-SM) domains. MSDP allows multicast sources
for a group to be known to all rendezvous points (RPs) in different
domains. An RP runs MSDP over TCP to discover multicast sources.
An RP in a PIM-SM domain has an MSDP peering relationship with
MSDP-enabled routers in another domain. The peering relationship occurs
over a TCP connection, where primarily a list of sources sending to
multicast groups is exchanged. The TCP connections between RPs are
achieved by the underlying routing system. The receiving RP uses the
source lists to establish a source path.
The purpose of this topology is to have domains discover multicast
sources in other domains. If the multicast sources are of interest to a
domain that has receivers, multicast data is delivered over the normal,
source-tree building mechanism in PIM-SM.
An MSDP packet containing encapsulated Internet Group Management
Protocol (IGMP) data, received from an external MSDP-configured peer
router, can cause an affected device to reload. This vulnerability can
only be exploited if the router is explicitly joined to the multicast
group. The MSDP packet destination address is a unicast address and
can be addressed to any IP address on the affected device, including
loopback addresses.
Transit traffic will not trigger this vulnerability.
A vulnerable interface configuration contains an explicitly joined
multicast group. Some example configurations that permit exploitation of
this vulnerability are:
!--- Interface configured for SAP Listener Support (a common
multicast group)
interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip pim sparse-mode
ip sap listen
!--- Interface configured to join a multicast group
interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip pim sparse-mode
ip igmp join-group 224.2.127.254
You can also use the "show igmp interface" command to determine if an
interface is joined to a multicast group.
RouterA#show ip igmp interface
GigabitEthernet0/0 is up, line protocol is up
Internet address is 192.168.0.1/24
IGMP is enabled on interface
Current IGMP host version is 2
Current IGMP router version is 2
IGMP query interval is 60 seconds
IGMP querier timeout is 120 seconds
IGMP max query response time is 10 seconds
Last member query count is 2
Last member query response interval is 1000 ms
Inbound IGMP access group is not set
IGMP activity: 2 joins, 0 leaves
Multicast routing is disabled on interface
Multicast TTL threshold is 0
Multicast groups joined by this system (number of users):
224.2.127.254(2) 239.255.255.255(1)
This vulnerability is documented in Cisco bug ID CSCtr28857. This
vulnerability has been assigned Common Vulnerabilities and Exposures
(CVE) ID CVE-2012-0382.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also compute
environmental scores that help determine the impact of the vulnerability
in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the environmental
impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtr28857 ("MSDP-peered Router joined to a multicast group may crash")
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Workaround
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may cause the affected
device to reload. Repeated exploitation may result in a sustained DoS
condition.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to
consult the Cisco Security Advisories and Responses archive at
http://www.cisco.com/go/psirt and review subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release column. The First Fixed Release for All Advisories in the
March 2012 Bundled Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco
IOS Software Security Advisory bundled publication. Cisco recommends
upgrading to the latest available release, where possible.
The Cisco IOS Software Checker allows customers to search for Cisco
Security Advisories that address specific Cisco IOS Software
releases. This tool is available on the Cisco Security Intelligence
Operations (SIO) portal at:
http://tools.cisco.com/security/center/selectIOSVersion.x
+------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+-----------------------------------------------|
| | | First Fixed Release |
| Affected | | for All Advisories in |
| 12.0-Based | First Fixed Release | the March 2012 Cisco |
| Releases | | IOS Software Security |
| | | Advisory Bundled |
| | | Publication |
|------------+-----------------------+-----------------------|
| 12.0S | 12.0(33)S10 | 12.0(33)S10 |
|------------+-----------------------+-----------------------|
| 12.0SY | 12.0(32)SY15 | 12.0(32)SY15 |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.0SZ | fixed in Release | fixed in Release |
| | 12.0S | 12.0S |
|------------+-----------------------+-----------------------|
| | | First Fixed Release |
| Affected | | for All Advisories in |
| 12.2-Based | First Fixed Release | the March 2012 Cisco |
| Releases | | IOS Software Security |
| | | Advisory Bundled |
| | | Publication |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2 | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2B | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2BC | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2BW | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2BX | fixed in Release | fixed in Release |
| | 12.2SB | 12.2SB |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2BY | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2BZ | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2CX | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2CY | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2CZ | fixed in Release | fixed in Release |
| | 12.0S | 12.0S |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2DA | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2DD | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2DX | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2EU | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2EW | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2EWA | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2EX | fixed in Release | fixed in Release |
| | 15.0SE | 15.0SE |
|------------+-----------------------+-----------------------|
| 12.2EY | 12.2(52)EY4 | 12.2(52)EY4 |
| | 12.2(58)EY2 | |
|------------+-----------------------+-----------------------|
| | Releases prior to | |
| | 12.2(53)EZ are | |
| | vulnerable; Releases | Vulnerable; First |
| 12.2EZ | 12.2(53)EZ and later | fixed in Release |
| | are not vulnerable. | 15.0SE |
| | First fixed in | |
| | Release 15.0SE | |
|------------+-----------------------+-----------------------|
| | | Vulnerable; First |
| 12.2FX | Not vulnerable | fixed in Release |
| | | 15.0SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; First |
| 12.2FY | Not vulnerable | fixed in Release |
| | | 15.0SE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2FZ | fixed in Release | fixed in Release |
| | 12.2SE | 15.0SE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2IRA | fixed in Release | fixed in Release |
| | 12.2SRE | 12.2SRE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2IRB | fixed in Release | fixed in Release |
| | 12.2SRE | 12.2SRE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2IRC | fixed in Release | fixed in Release |
| | 12.2SRE | 12.2SRE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2IRD | fixed in Release | fixed in Release |
| | 12.2SRE | 12.2SRE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2IRE | fixed in Release | fixed in Release |
| | 12.2SRE | 12.2SRE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2IRF | fixed in Release | fixed in Release |
| | 12.2SRE | 12.2SRE |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2IRG | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2IRH | 12.2(33)IRH1 | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2IXA | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2IXB | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2IXC | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2IXD | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2IXE | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2IXF | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2IXG | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2IXH | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| 12.2JA | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| 12.2JK | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2MB | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2MC | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2MRA | fixed in Release | fixed in Release |
| | 12.2SRE | 12.2SRE |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2MRB | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Releases prior to | Releases prior to |
| | 12.2(30)S are | 12.2(30)S are |
| | vulnerable; Releases | vulnerable; Releases |
| 12.2S | 12.2(30)S and later | 12.2(30)S and later |
| | are not vulnerable. | are not vulnerable. |
| | First fixed in | First fixed in |
| | Release 12.0S | Release 12.0S |
|------------+-----------------------+-----------------------|
| 12.2SB | 12.2(33)SB12 | 12.2(33)SB12 |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SBC | fixed in Release | fixed in Release |
| | 12.2SB | 12.2SRE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SCA | fixed in Release | fixed in Release |
| | 12.2SCE | 12.2SCE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SCB | fixed in Release | fixed in Release |
| | 12.2SCE | 12.2SCE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SCC | fixed in Release | fixed in Release |
| | 12.2SCE | 12.2SCE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SCD | fixed in Release | fixed in Release |
| | 12.2SCE | 12.2SCE |
|------------+-----------------------+-----------------------|
| 12.2SCE | 12.2(33)SCE5 | 12.2(33)SCE6 |
|------------+-----------------------+-----------------------|
| 12.2SCF | 12.2(33)SCF2 | 12.2(33)SCF2 |
|------------+-----------------------+-----------------------|
| 12.2SE | 12.2(55)SE5 | |
| | | 12.2(55)SE5 * |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SEA | fixed in Release | fixed in Release |
| | 12.2SE | 15.0SE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SEB | fixed in Release | fixed in Release |
| | 12.2SE | 15.0SE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SEC | fixed in Release | fixed in Release |
| | 12.2SE | 15.0SE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SED | fixed in Release | fixed in Release |
| | 12.2SE | 15.0SE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SEE | fixed in Release | fixed in Release |
| | 12.2SE | 15.0SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; First |
| 12.2SEF | Not vulnerable | fixed in Release |
| | | 15.0SE |
|------------+-----------------------+-----------------------|
| | Releases prior to | |
| | 12.2(25)SEG4 are | |
| | vulnerable; Releases | Vulnerable; First |
| 12.2SEG | 12.2(25)SEG4 and | fixed in Release |
| | later are not | 15.0SE |
| | vulnerable. First | |
| | fixed in Release | |
| | 15.0SE | |
|------------+-----------------------+-----------------------|
| | 12.2(53)SG7; | 12.2(53)SG7; |
| 12.2SG | Available on | Available on |
| | 07-MAY-12 | 07-MAY-12 |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SGA | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| 12.2SL | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SM | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SO | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SQ | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SRA | fixed in Release | fixed in Release |
| | 12.2SRE | 12.2SRE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SRB | fixed in Release | fixed in Release |
| | 12.2SRE | 12.2SRE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SRC | fixed in Release | fixed in Release |
| | 12.2SRE | 12.2SRE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SRD | fixed in Release | fixed in Release |
| | 12.2SRE | 12.2SRE |
|------------+-----------------------+-----------------------|
| 12.2SRE | 12.2(33)SRE5 | 12.2(33)SRE6 |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.2STE | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SU | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Releases up to and | Releases up to and |
| 12.2SV | including 12.2(18)SV2 | including 12.2(18)SV2 |
| | are not vulnerable. | are not vulnerable. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SVA | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SVC | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SVD | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SVE | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SW | fixed in Release | fixed in Release |
| | 12.4SW | 12.4T |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SX | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SXA | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SXB | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SXD | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SXE | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SXF | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2SXH | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| 12.2SXI | 12.2(33)SXI9 | 12.2(33)SXI9 |
|------------+-----------------------+-----------------------|
| 12.2SXJ | 12.2(33)SXJ2 | 12.2(33)SXJ2 |
|------------+-----------------------+-----------------------|
| | 12.2(50)SY2; | 12.2(50)SY2; |
| 12.2SY | Available on | Available on |
| | 11-JUN-12 | 11-JUN-12 |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2SZ | fixed in Release | fixed in Release |
| | 12.0S | 12.0S |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2T | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2TPC | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XA | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XB | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XC | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XD | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XE | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XF | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XG | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XH | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XI | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XJ | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XK | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XL | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XM | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Please see Cisco | Please see Cisco |
| 12.2XNA | IOS-XE Software | IOS-XE Software |
| | Availability | Availability |
|------------+-----------------------+-----------------------|
| | Please see Cisco | Please see Cisco |
| 12.2XNB | IOS-XE Software | IOS-XE Software |
| | Availability | Availability |
|------------+-----------------------+-----------------------|
| | Please see Cisco | Please see Cisco |
| 12.2XNC | IOS-XE Software | IOS-XE Software |
| | Availability | Availability |
|------------+-----------------------+-----------------------|
| | Please see Cisco | Please see Cisco |
| 12.2XND | IOS-XE Software | IOS-XE Software |
| | Availability | Availability |
|------------+-----------------------+-----------------------|
| | Please see Cisco | Please see Cisco |
| 12.2XNE | IOS-XE Software | IOS-XE Software |
| | Availability | Availability |
|------------+-----------------------+-----------------------|
| | Please see Cisco | Please see Cisco |
| 12.2XNF | IOS-XE Software | IOS-XE Software |
| | Availability | Availability |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2XO | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XQ | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Releases prior to | Releases prior to |
| | 12.2(15)XR are | 12.2(15)XR are |
| | vulnerable; Releases | vulnerable; Releases |
| 12.2XR | 12.2(15)XR and later | 12.2(15)XR and later |
| | are not vulnerable. | are not vulnerable. |
| | First fixed in | First fixed in |
| | Release 12.4 | Release 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XS | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XT | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XU | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XV | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2XW | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2YA | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2YC | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2YD | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2YE | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2YK | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2YO | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| | fixed in Release 12.4 | fixed in Release |
| 12.2YP | Releases up to and | 15.0M |
| | including 12.2(8)YP | Releases up to and |
| | are not vulnerable. | including 12.2(8)YP |
| | | are not vulnerable. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2YT | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2YW | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2YX | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2YY | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2YZ | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2ZA | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2ZB | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2ZC | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2ZD | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2ZE | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2ZH | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2ZJ | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2ZP | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2ZU | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.2ZX | fixed in Release | fixed in Release |
| | 12.2SB | 12.2SRE |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2ZY | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.2ZYA | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | | First Fixed Release |
| Affected | | for All Advisories in |
| 12.3-Based | First Fixed Release | the March 2012 Cisco |
| Releases | | IOS Software Security |
| | | Advisory Bundled |
| | | Publication |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3 | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3B | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3BC | fixed in Release | fixed in Release |
| | 12.2SCE | 12.2SCE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3BW | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Releases prior to | |
| | 12.3(4)JA2 are | |
| | vulnerable; Releases | Vulnerable; First |
| 12.3JA | 12.3(4)JA2 and later | fixed in Release |
| | are not vulnerable. | 12.4JA |
| | Migrate to any | |
| | release in 12.4JA | |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.3JEA | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.3JEB | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.3JEC | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.3JED | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | Releases up to and | |
| | including 12.3(2)JK3 | |
| | are not vulnerable. | Vulnerable; First |
| 12.3JK | Releases 12.3(8)JK1 | fixed in Release |
| | and later are not | 15.0M |
| | vulnerable. First | |
| | fixed in Release 12.4 | |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.3JL | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| 12.3JX | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3T | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.3TPC | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| 12.3VA | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XA | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.3XB | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XC | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XD | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XE | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.3XF | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XG | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XI | fixed in Release | fixed in Release |
| | 12.2SB | 12.2SRE |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XJ | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XK | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XL | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XQ | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XR | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XU | fixed in Release | fixed in Release |
| | 12.4T | 12.4T |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XW | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XX | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XY | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3XZ | fixed in Release 12.4 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3YD | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3YF | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3YG | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3YI | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3YJ | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3YK | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3YM | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3YQ | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3YS | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3YT | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3YU | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3YX | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.3YZ | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.3ZA | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | | First Fixed Release |
| Affected | | for All Advisories in |
| 12.4-Based | First Fixed Release | the March 2012 Cisco |
| Releases | | IOS Software Security |
| | | Advisory Bundled |
| | | Publication |
|------------+-----------------------+-----------------------|
| | 12.4(25g); Available | Vulnerable; First |
| 12.4 | on 19-SEP-12 | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.4GC | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| 12.4JA | Not vulnerable | 12.4(23c)JA4 |
| | | 12.4(25e)JA |
|------------+-----------------------+-----------------------|
| | | Vulnerable; First |
| 12.4JAX | Not vulnerable | fixed in Release |
| | | 12.4JA |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.4JDA | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.4JDC | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.4JDD | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.4JDE | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.4JHA | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.4JHB | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.4JHC | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.4JK | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 12.4JL | Not vulnerable | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | | Vulnerable; First |
| 12.4JX | Not vulnerable | fixed in Release |
| | | 12.4JA |
|------------+-----------------------+-----------------------|
| | | Vulnerable; First |
| 12.4JY | Not vulnerable | fixed in Release |
| | | 12.4JA |
|------------+-----------------------+-----------------------|
| | | Vulnerable; First |
| 12.4JZ | Not vulnerable | fixed in Release |
| | | 12.4JA |
|------------+-----------------------+-----------------------|
| | 12.4(24)MD7; | 12.4(22)MD3; |
| 12.4MD | Available on | Available on |
| | 29-Jun-12 | 30-MAR-12 |
|------------+-----------------------+-----------------------|
| 12.4MDA | 12.4(24)MDA11 | 12.4(24)MDA11 |
|------------+-----------------------+-----------------------|
| 12.4MDB | 12.4(24)MDB5a | 12.4(24)MDB5a |
|------------+-----------------------+-----------------------|
| 12.4MDC | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.4MR | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.4MRA | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4MRB | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | | Vulnerable; First |
| 12.4SW | 12.4(15)SW8a | fixed in Release |
| | | 15.0M |
|------------+-----------------------+-----------------------|
| | 12.4(15)T17 | 12.4(15)T17 |
| 12.4T | 12.4(24)T7 | 12.4(24)T7 |
| | | |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XA | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XB | fixed in Release | fixed in Release |
| | 12.4T | 12.4T |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XC | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XD | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XE | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XF | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XG | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XJ | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XK | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.4XL | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XM | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.4XN | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.4XP | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XQ | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XR | fixed in Release | fixed in Release |
| | 12.4T | 12.4T |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XT | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.4XV | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XW | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XY | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4XZ | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 12.4YA | fixed in Release | fixed in Release |
| | 12.4T | 15.0M |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.4YB | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 12.4YD | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| 12.4YE | 12.4(24)YE3d | 12.4(24)YE3d |
|------------+-----------------------+-----------------------|
| 12.4YG | 12.4(24)YG4 | 12.4(24)YG4 |
|------------+-----------------------+-----------------------|
| | | First Fixed Release |
| Affected | | for All Advisories in |
| 15.0-Based | First Fixed Release | the March 2012 Cisco |
| Releases | | IOS Software Security |
| | | Advisory Bundled |
| | | Publication |
|------------+-----------------------+-----------------------|
| 15.0M | 15.0(1)M8 | 15.0(1)M8 |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 15.0MR | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 15.0MRA | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| | 15.0(1)S5 | 15.0(1)S5 |
| | Cisco IOS XE devices: | Cisco IOS XE devices: |
| 15.0S | Please see Cisco IOS | Please see Cisco IOS |
| | XE Software | XE Software |
| | Availability | Availability |
|------------+-----------------------+-----------------------|
| 15.0SA | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | 15.0(1)SE1 | |
| 15.0SE | 15.0(2)SE; Available | 15.0(1)SE1 |
| | on 06-AUG-12 | |
|------------+-----------------------+-----------------------|
| | 15.0(2)SG2 | 15.0(2)SG2 |
| | Cisco IOS XE devices: | Cisco IOS XE devices: |
| 15.0SG | Please see Cisco | Please see Cisco |
| | IOS-XE Software | IOS-XE Software |
| | Availability | Availability |
|------------+-----------------------+-----------------------|
| 15.0SY | Not vulnerable | 15.0(1)SY1 |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 15.0XA | fixed in Release | fixed in Release |
| | 15.1T | 15.1T |
|------------+-----------------------+-----------------------|
| | Cisco IOS XE devices: | Cisco IOS XE devices: |
| 15.0XO | Please see Cisco | Please see Cisco |
| | IOS-XE Software | IOS-XE Software |
| | Availability | Availability |
|------------+-----------------------+-----------------------|
| | | First Fixed Release |
| Affected | | for All Advisories in |
| 15.1-Based | First Fixed Release | the March 2012 Cisco |
| Releases | | IOS Software Security |
| | | Advisory Bundled |
| | | Publication |
|------------+-----------------------+-----------------------|
| 15.1EY | 15.1(2)EY1a | 15.1(2)EY2 |
|------------+-----------------------+-----------------------|
| 15.1GC | 15.1(2)GC2 | 15.1(2)GC2 |
|------------+-----------------------+-----------------------|
| 15.1M | 15.1(4)M2 | 15.1(4)M4; Available |
| | 15.1(4)M3a | on 30-MAR-12 |
|------------+-----------------------+-----------------------|
| | | Vulnerable; contact |
| | | your support |
| | | organization per the |
| 15.1MR | 15.1(1)MR3 | instructions in |
| | | Obtaining Fixed |
| | | Software section of |
| | | this advisory. |
|------------+-----------------------+-----------------------|
| | 15.1(3)S1 | 15.1(3)S2 |
| | Cisco IOS XE devices: | Cisco IOS XE devices: |
| 15.1S | Please see Cisco IOS | Please see Cisco IOS |
| | XE Software | XE Software |
| | Availability | Availability |
|------------+-----------------------+-----------------------|
| | Not vulnerable | Not vulnerable |
| | Cisco IOS XE devices: | Cisco IOS XE devices: |
| 15.1SG | Please see Cisco IOS | Please see Cisco IOS |
| | XE Software | XE Software |
| | Availability | Availability |
|------------+-----------------------+-----------------------|
| | Vulnerable; contact | Vulnerable; contact |
| | your support | your support |
| | organization per the | organization per the |
| 15.1SNG | instructions in | instructions in |
| | Obtaining Fixed | Obtaining Fixed |
| | Software section of | Software section of |
| | this advisory. | this advisory. |
|------------+-----------------------+-----------------------|
| 15.1SNH | Not vulnerable | Not vulnerable |
|------------+-----------------------+-----------------------|
| | 15.1(1)T5; Available | |
| | on 18-MAY-12 | |
| 15.1T | 15.1(2)T5; Available | 15.1(3)T3 |
| | on 27-APR-12 | |
| | 15.1(3)T3 | |
|------------+-----------------------+-----------------------|
| | Vulnerable; First | Vulnerable; First |
| 15.1XB | fixed in Release | fixed in Release |
| | 15.1T | 15.1T |
|------------+-----------------------+-----------------------|
| | | First Fixed Release |
| Affected | | for All Advisories in |
| 15.2-Based | First Fixed Release | the March 2012 Cisco |
| Releases | | IOS Software Security |
| | | Advisory Bundled |
| | | Publication |
|------------+-----------------------+-----------------------|
| 15.2GC | 15.2(1)GC1 | 15.2(1)GC2 |
|------------+-----------------------+-----------------------|
| | Not vulnerable | 15.2(1)S1 |
| | Cisco IOS XE devices: | Cisco IOS XE devices: |
| 15.2S | Please see Cisco IOS | Please see Cisco IOS |
| | XE Software | XE Software |
| | Availability | Availability |
|------------+-----------------------+-----------------------|
| | 15.2(1)T1 | 15.2(1)T2 |
| 15.2T | 15.2(2)T | 15.2(2)T1 |
| | 15.2(2)T1 | 15.2(3)T; Available |
| | | on 30-MAR-12 |
+------------------------------------------------------------+
* Cisco Catalyst 3550 Series Switches support the Internet Key Exchange
(IKE) feature and are vulnerable to Cisco bug ID CSCts38429 when the
devices are running Layer 3 images; however, this product reached
the End of Software Maintenance milestone. Cisco 3550 Series SMI
Switches that are running Layer 2 images do not support IKE and are not
vulnerable. No other Cisco devices that run 12.2SE-based software are
vulnerable.
Cisco IOS XE Software
+--------------------
Cisco IOS XE Software is affected by the vulnerability that is
disclosed in this document.
+------------------------------------------------------------+
| Cisco IOS | | First Fixed Release for All |
| XE | First Fixed | Advisories in the March 2012 |
| Software | Release | Cisco IOS Software Security |
| Release | | Advisory Bundled Publication |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.1.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.1S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.2.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.1S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.3.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.1S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.4.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.1S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.5.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.1S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 2.6.x | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.1S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 3.1.xS | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.1S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 3.1.xSG | migrate to | Vulnerable; migrate to 3.2.2SG |
| | 3.2.2SG or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 3.2.xS | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.1S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| 3.2.xSG | 3.2.2SG | 3.2.2SG |
|-----------+--------------+---------------------------------|
| | Vulnerable; | |
| 3.3.xS | migrate to | Vulnerable; migrate to 3.4.2S |
| | 3.4.1S or | or later. |
| | later. | |
|-----------+--------------+---------------------------------|
| 3.3.xSG | Not | Not Vulnerable |
| | Vulnerable | |
|-----------+--------------+---------------------------------|
| 3.4.xS | 3.4.1S | 3.4.2S |
|-----------+--------------+---------------------------------|
| 3.5.xS | Not | 3.5.1S |
| | vulnerable | |
|-----------+--------------+---------------------------------|
| 3.6.xS | Not | Not vulnerable |
| | vulnerable | |
+------------------------------------------------------------+
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, and Cisco IOS XE 3SG Release Notes.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by any of the vulnerabilities
disclosed in the March 2012 Cisco IOS Software Security Advisory
Bundled Publication.
Workarounds
===========
Customers with an MSDP-configured router who do not require membership
to multicast groups can remove the "ip sap listen" or "ip igmp
join-group <multicast-group address>" commands on the router interface
as a workaround.
For example:
RouterA#conf t
RouterA(config)# interface GigabitEthernet0/0
RouterA(config-if)# no ip sap listen
RouterA(config-if)# no ip igmp join-group 224.2.127.254
interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip pim sparse-mode
To determine if a router is configured for MSDP peers, run the
command "show ip msdp peer" at the router command prompt:
RouterA# show ip msdp peer
MSDP Peer 192.168.0.2 (?), AS 100
Connection status:
State: Up, Resets: 0, Connection source: none configured
Uptime(Downtime): 01:23:42, Messages sent/received: 25/24
Output messages discarded: 0
Connection and counters cleared 01:15:14 ago
SA Filtering:
Input (S,G) filter: none, route-map: none
Input RP filter: none, route-map: none
Output (S,G) filter: none, route-map: none
Output RP filter: none, route-map: none
SA-Requests:
Input filter: none
Peer ttl threshold: 0
SAs learned from this peer: 0
Input queue size: 0, Output queue size: 0
Message counters:
RPF Failure count: 0
SA Messages in/out: 13/8
SA Requests in: 0
SA Responses out: 0
Data Packets in/out: 7/8
To remove an untrusted MSDP peer from your configuration, use the "no
ip msdp peer <address>" or "ip msdp default-peer <ip-address | name>"
command on the router configuration interface.
RouterA(config)# no ip msdp peer 192.168.0.2
interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip pim sparse-mode
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerability|vulnerabilities described in this advisory. Prior to
deploying software, customers are advised to consult their
maintenance providers or check the software for feature set
compatibility and known issues that are specific to their
environments.
Customers may only install and expect support for feature
sets they have purchased. By installing, downloading,
accessing, or otherwise using such software upgrades, customers
agree to follow the terms of the Cisco software license at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as set forth at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be obtained
through the Software Center on Cisco.com at http://www.cisco.com.
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerability that is described in this advisory.
This vulnerability was found during the troubleshooting of customer
service requests.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2012-March-28 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco is available on Cisco.com at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.….
This web page includes instructions for press inquiries
regarding Cisco Security Advisories. All Cisco Security Advisories are
available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk9xNOEACgkQQXnnBKKRMND6JgD/TLEfBY6XfhL7hpQW01gFYpBT
sO8HTYkhaAOnkwSN/psBAIOin3zSOfsxb42tDq57ub1MvMM7zk28YqWG2V3y6p7G
=Ja0H
-----END PGP SIGNATURE-----
10 years, 3 months
- 1
- 0
Cisco Security Advisory: Cisco IOS Software Smart Install Denial of Service Vulnerability
by Cisco Systems Product Security Incident Response Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS Software Smart Install Denial of Service Vulnerability
Advisory ID: cisco-sa-20120328-smartinstall
Revision 1.0
For Public Release 2012 March 28 16:00 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Cisco IOS Software contains a vulnerability in the Smart Install
feature that could allow an unauthenticated, remote attacker to cause
a reload of an affected device if the Smart Install feature is
enabled. The vulnerability is triggered when an affected device
processes a malformed Smart Install message on TCP port 4786.
Cisco has released free software updates that address this
vulnerability. There are no workarounds to mitigate this
vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Note: The March 28, 2012, Cisco IOS Software Security Advisory
bundled publication includes nine Cisco Security Advisories. Each
advisory lists the Cisco IOS Software releases that correct the
vulnerability or vulnerabilities detailed in the advisory as well as
the Cisco IOS Software releases that correct all vulnerabilities in
the March 2012 bundled publication.
Individual publication links are in "Cisco Event Response:
Semi-Annual Cisco IOS Software Security Advisory Bundled Publication"
at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
Affected Products
=================
Vulnerable Products
+------------------
Devices configured as a Smart Install client or director are affected
by this vulnerability. To display Smart Install information, use the
show vstack config privileged EXEC command on the Smart Install
director or client. The outputs of show commands are different when
entered on the director or on the client. The following is the output
of show vstack config in a Cisco Catalyst Switch configured as a
Smart Install client:
switch#show vstack config
Role: Client
Vstack Director IP address: 10.1.1.163
The following is the output of show vstack config in a Cisco Catalyst
Switch configured as a Smart Install director:
Director# show vstack config
Role: Director
Vstack Director IP address: 10.1.1.163
Vstack Mode: Basic
Vstack default management vlan: 1
Vstack management Vlans: none
Vstack Config file: tftp://10.1.1.100/default-config.txt
Vstack Image file: tftp://10.1.1.100/c3750e-universalk9-tar.122-
Join Window Details:
Window: Open (default)
Operation Mode: auto (default)
Vstack Backup Details:
Mode: On (default)
Repository: flash:/vstack (default)
The Smart Install Feature is enabled by default.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 15.0(1)M1 with an installed image name of
C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS and NX-OS
Software Reference Guide" at:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS XR Software is not affected by this vulnerability.
Cisco IOS XE Software is not affected by this vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Smart Install is a plug-and-play configuration and image-management
feature that provides zero-touch deployment for new LAN Ethernet
switches. This feature allows, for example, new LAN switches to be
deployed at new locations without any configuration.
A vulnerability exists in the Smart Install feature of Cisco IOS
Software that could allow an unauthenticated, remote attacker to
cause a reload of an affected device. Smart Install uses a Cisco
proprietary protocol that runs over TCP port 4786. To exploit this
vulnerability, an attacker needs to establish a TCP session on port
4786 of an affected device that has the Smart Install feature
enabled, and then send a malformed Smart Install message.
This vulnerability is documented in Cisco bug ID CSCtt16051
and has been assigned Common Vulnerabilities and Exposures (CVE)
ID CVE-2012-0385.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerability in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* Cisco IOS Software Smart Install Denial of Service Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability that is described in
this advisory may cause a reload of an affected device. Repeated
exploitation could result in a sustained denial of service condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories
to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release column. The First Fixed Release for All Advisories in the
March 2012 Bundled Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco
IOS Software Security Advisory bundled publication. Cisco recommends
upgrading to the latest available release, where possible.
The Cisco IOS Software Checker allows customers to search for Cisco
Security Advisories that address specific Cisco IOS Software
releases. This tool is available on the Cisco Security Intelligence
Operations (SIO) portal at:
http://tools.cisco.com/security/center/selectIOSVersion.x
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+--------------------------------------------------------|
| Affected | | First Fixed Release for All |
|12.0-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | First Fixed Release for All |
|12.2-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|----------+---------------------+----------------------------------|
|12.2 |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2B |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2BC |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2BW |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2BX |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SB |
|----------+---------------------+----------------------------------|
|12.2BY |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2BZ |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2CX |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2CY |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2CZ |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.0S |
|----------+---------------------+----------------------------------|
|12.2DA |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2DD |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2DX |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2EU |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2EW |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2EWA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| |Vulnerable; First | |
| |fixed in Release | |
|12.2EX |15.0SE |Vulnerable; First fixed in Release|
| |Releases up to and |15.0SE |
| |including 12.2(46)EX | |
| |are not vulnerable. | |
|----------+---------------------+----------------------------------|
| |Vulnerable; migrate | |
| |to any release in | |
|12.2EY |15.1EY |12.2(52)EY4 |
| |Releases up to and | |
| |including 12.2(52)EY4| |
| |are not vulnerable. | |
|----------+---------------------+----------------------------------|
| |Vulnerable; First | |
| |fixed in Release | |
|12.2EZ |15.0SE |Vulnerable; First fixed in Release|
| |Releases up to and |15.0SE |
| |including 12.2(53)EZ | |
| |are not vulnerable. | |
|----------+---------------------+----------------------------------|
|12.2FX |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2FY |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2FZ |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2IRA |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2IRB |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2IRC |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2IRD |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2IRE |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2IRF |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IRG |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IRH |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXB |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXC |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXD |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXE |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXF |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXG |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2IXH |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2JA |Not vulnerable |Not vulnerable |
|----------+---------------------+----------------------------------|
|12.2JK |Not vulnerable |Not vulnerable |
|----------+---------------------+----------------------------------|
|12.2MB |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2MC |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2MRA |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2MRB |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Releases prior to 12.2(30)S are |
|12.2S |Not vulnerable |vulnerable; Releases 12.2(30)S and|
| | |later are not vulnerable. First |
| | |fixed in Release 12.0S |
|----------+---------------------+----------------------------------|
|12.2SB |Not vulnerable |12.2(33)SB12 |
|----------+---------------------+----------------------------------|
|12.2SBC |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2SCA |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SCE |
|----------+---------------------+----------------------------------|
|12.2SCB |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SCE |
|----------+---------------------+----------------------------------|
|12.2SCC |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SCE |
|----------+---------------------+----------------------------------|
|12.2SCD |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SCE |
|----------+---------------------+----------------------------------|
|12.2SCE |Not vulnerable |12.2(33)SCE6 |
|----------+---------------------+----------------------------------|
|12.2SCF |Not vulnerable |12.2(33)SCF2 |
|----------+---------------------+----------------------------------|
|12.2SE |12.2(55)SE5 | |
| | |12.2(55)SE5 * |
|----------+---------------------+----------------------------------|
|12.2SEA |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SEB |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SEC |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SED |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SEE |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SEF |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SEG |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0SE |
|----------+---------------------+----------------------------------|
|12.2SG |Not vulnerable |12.2(53)SG7; Available on |
| | |07-MAY-12 |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SGA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2SL |Not vulnerable |Not vulnerable |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SM |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SO |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SQ |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2SRA |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2SRB |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2SRC |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2SRD |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
|12.2SRE |Not vulnerable |12.2(33)SRE6 |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2STE |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2SU |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2SV |Not vulnerable |Releases up to and including 12.2 |
| | |(18)SV2 are not vulnerable. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SVA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SVC |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SVD |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SVE |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2SW |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.4T |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SX |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SXA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SXB |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SXD |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SXE |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SXF |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2SXH |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2SXI |Not vulnerable |12.2(33)SXI9 |
|----------+---------------------+----------------------------------|
|12.2SXJ |Not vulnerable |12.2(33)SXJ2 |
|----------+---------------------+----------------------------------|
|12.2SY |Not vulnerable |12.2(50)SY2; Available on |
| | |11-JUN-12 |
|----------+---------------------+----------------------------------|
|12.2SZ |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.0S |
|----------+---------------------+----------------------------------|
|12.2T |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2TPC |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2XA |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XB |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XC |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XD |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XE |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XF |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XG |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XH |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XI |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XJ |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XK |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XL |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XM |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
| |Please see Cisco |Please see Cisco IOS-XE Software |
|12.2XNA |IOS-XE Software |Availability |
| |Availability | |
|----------+---------------------+----------------------------------|
| |Please see Cisco |Please see Cisco IOS-XE Software |
|12.2XNB |IOS-XE Software |Availability |
| |Availability | |
|----------+---------------------+----------------------------------|
| |Please see Cisco |Please see Cisco IOS-XE Software |
|12.2XNC |IOS-XE Software |Availability |
| |Availability | |
|----------+---------------------+----------------------------------|
| |Please see Cisco |Please see Cisco IOS-XE Software |
|12.2XND |IOS-XE Software |Availability |
| |Availability | |
|----------+---------------------+----------------------------------|
| |Please see Cisco |Please see Cisco IOS-XE Software |
|12.2XNE |IOS-XE Software |Availability |
| |Availability | |
|----------+---------------------+----------------------------------|
| |Please see Cisco |Please see Cisco IOS-XE Software |
|12.2XNF |IOS-XE Software |Availability |
| |Availability | |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2XO |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2XQ |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
| | |Releases prior to 12.2(15)XR are |
|12.2XR |Not vulnerable |vulnerable; Releases 12.2(15)XR |
| | |and later are not vulnerable. |
| | |First fixed in Release 15.0M |
|----------+---------------------+----------------------------------|
|12.2XS |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XT |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XU |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XV |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2XW |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2YA |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YC |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YD |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YE |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YK |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YO |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; First fixed in Release|
|12.2YP |Not vulnerable |15.0M |
| | |Releases up to and including 12.2 |
| | |(8)YP are not vulnerable. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YT |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YW |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YX |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YY |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2YZ |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZB |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZC |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZD |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2ZE |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
|12.2ZH |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.0M |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZJ |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZP |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZU |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|12.2ZX |Not vulnerable |Vulnerable; First fixed in Release|
| | |12.2SRE |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZY |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|12.2ZYA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| Affected | | First Fixed Release for All |
|12.3-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | First Fixed Release for All |
|12.4-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|-------------------------------------------------------------------|
| There are no affected 12.4 based releases |
|-------------------------------------------------------------------|
| Affected | | First Fixed Release for All |
|15.0-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|----------+---------------------+----------------------------------|
|15.0M |Not vulnerable |15.0(1)M8 |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|15.0MR |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|15.0MRA |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| |Not vulnerable | |
| |Cisco IOS XE devices:|15.0(1)S5 |
|15.0S |Please see Cisco IOS |Cisco IOS XE devices: Please see |
| |XE Software |Cisco IOS XE Software Availability|
| |Availability | |
|----------+---------------------+----------------------------------|
|15.0SA |Not vulnerable |Not vulnerable |
|----------+---------------------+----------------------------------|
|15.0SE |15.0(1)SE1 |15.0(1)SE1 |
|----------+---------------------+----------------------------------|
| |Not vulnerable | |
| |Cisco IOS XE devices:|15.0(2)SG2 |
|15.0SG |Please see Cisco IOS |Cisco IOS XE devices: Please see |
| |XE Software |Cisco IOS XE Software Availability|
| |Availability | |
|----------+---------------------+----------------------------------|
|15.0SY |Not vulnerable |15.0(1)SY1 |
|----------+---------------------+----------------------------------|
|15.0XA |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.1T |
|----------+---------------------+----------------------------------|
| |Cisco IOS XE devices:| |
|15.0XO |Please see Cisco |Cisco IOS XE devices: Please see |
| |IOS-XE Software |Cisco IOS-XE Software Availability|
| |Availability | |
|----------+---------------------+----------------------------------|
| Affected | | First Fixed Release for All |
|15.1-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|----------+---------------------+----------------------------------|
|15.1EY |Not vulnerable |15.1(2)EY2 |
|----------+---------------------+----------------------------------|
|15.1GC |Not vulnerable |15.1(2)GC2 |
|----------+---------------------+----------------------------------|
|15.1M |15.1(4)M4; Available |15.1(4)M4; Available on 30-MAR-12 |
| |on 30-MAR-12 | |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|15.1MR |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
| |Not vulnerable | |
| |Cisco IOS XE devices:|15.1(3)S2 |
|15.1S |Please see Cisco IOS |Cisco IOS XE devices: Please see |
| |XE Software |Cisco IOS XE Software Availability|
| |Availability | |
|----------+---------------------+----------------------------------|
| |Not vulnerable | |
| |Cisco IOS XE devices:|Not vulnerable |
|15.1SG |Please see Cisco IOS |Cisco IOS XE devices: Please see |
| |XE Software |Cisco IOS XE Software Availability|
| |Availability | |
|----------+---------------------+----------------------------------|
| | |Vulnerable; contact your support |
|15.1SNG |Not vulnerable |organization per the instructions |
| | |in Obtaining Fixed Software |
| | |section of this advisory. |
|----------+---------------------+----------------------------------|
|15.1SNH |Not vulnerable |Not vulnerable |
|----------+---------------------+----------------------------------|
|15.1T |15.1(3)T3 |15.1(3)T3 |
|----------+---------------------+----------------------------------|
|15.1XB |Not vulnerable |Vulnerable; First fixed in Release|
| | |15.1T |
|----------+---------------------+----------------------------------|
| Affected | | First Fixed Release for All |
|15.2-Based| First Fixed Release |Advisories in the March 2012 Cisco|
| Releases | | IOS Software Security Advisory |
| | | Bundled Publication |
|----------+---------------------+----------------------------------|
|15.2GC |15.2(1)GC2 |15.2(1)GC2 |
|----------+---------------------+----------------------------------|
| |Not vulnerable |15.2(1)S1 |
| |Cisco IOS XE devices:| |
|15.2S |Please see Cisco IOS |Cisco IOS XE devices: Please see |
| |XE Software |Cisco IOS XE Software Availability|
| |Availability | |
|----------+---------------------+----------------------------------|
| |15.2(1)T2 |15.2(1)T2 |
|15.2T |15.2(2)T1 |15.2(2)T1 |
| |15.2(3)T; Available |15.2(3)T; Available on 30-MAR-12 |
| |on 30-MAR-12 | |
+-------------------------------------------------------------------+
* Cisco Catalyst 3550 Series Switches support the Internet Key
Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429
when the devices are running Layer 3 images; however, this product
reached the End of Software Maintenance milestone. Cisco 3550 Series
SMI Switches that are running Layer 2 images do not support IKE and
are not vulnerable. No other Cisco devices that run 12.2SE-based
software are vulnerable.
Cisco IOS XE Software
+--------------------
Cisco IOS XE Software is not affected by the vulnerability disclosed
in this advisory.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by any of the vulnerabilities
disclosed in the March 2012 Cisco IOS Software Security Advisory
Bundled Publication.
Workarounds
===========
There are no workarounds available to mitigate this vulnerability
other than disabling the Smart Install feature. To disable the Smart
Install feature use the global configuration command no vstack.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBullet…
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerability described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance
providers or check the software for feature set compatibility and
known issues that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerability that is described in this advisory.
This issue was reported to Cisco by customers who discovered it
during the course of security audits.
Status of This Notice: Final
+---------------------------
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2012-March-28 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This web page includes instructions for press inquiries regarding
Cisco Security Advisories.
All Cisco Security Advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFPcSThQXnnBKKRMNARCOH4AP9Wgc8t/hVLf4NZrWSE6Y64edlgu+lg7MB6
h5OtNEQTgAD/Ux8fxWyhS8HGYK17bT294K2OMuymiytT5sN/T2u/ZY8=
=6eFE
-----END PGP SIGNATURE-----
10 years, 3 months
- 1
- 0
Cisco Security Advisory: Cisco IOS Software Zone-Based Firewall Vulnerabilities
by Cisco Systems Product Security Incident Response Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS Software Zone-Based Firewall Vulnerabilities
Advisory ID: cisco-sa-20120328-zbfw
Revision 1.0
For Public Release 2012 March 28 16:00 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Cisco IOS Software contains four vulnerabilities related to Cisco IOS
Zone-Based Firewall features. These vulnerabilities are as follows:
* Memory Leak Associated with Crafted IP Packets
* Memory Leak in HTTP Inspection
* Memory Leak in H.323 Inspection
* Memory Leak in SIP Inspection
Workarounds that mitigate these vulnerabilities are not available.
Cisco has released free software updates that address these
vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Note: The March 28, 2012, Cisco IOS Software Security Advisory
bundled publication includes nine Cisco Security Advisories. Each
advisory lists the Cisco IOS Software releases that correct the
vulnerability or vulnerabilities detailed in the advisory as well as
the Cisco IOS Software releases that correct all vulnerabilities in
the March 2012 bundled publication.
Individual publication links are in "Cisco Event Response:
Semi-Annual Cisco IOS Software Security Advisory Bundled Publication"
at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
Affected Products
=================
Vulnerable Products
+------------------
Cisco IOS devices running vulnerable versions of Cisco IOS Software
are affected by four vulnerabilities in the Cisco IOS Zone-Based
Firewall. The vulnerabilities are independent of each other. Details
to confirm affected configurations are provided below.
To determine whether a device is configured with Zone-Based Firewall,
log in to the device and issue the show zone security command-line
interface (CLI) command. If the output shows a member interface under
a zone name, the device is vulnerable. The following example shows a
device with Zone-Based Firewall rules configured on both
GigabitEthernet0/0 and GigabitEthernet0/1:
Router#show zone security
zone self
Description: System defined zone
zone inside
Description: *** Inside Network ***
Member Interfaces:
GigabitEthernet0/0
zone outside
Description: *** Outside Network ***
Member Interfaces:
GigabitEthernet0/1
Router#
The following sections provide more details on the specific features
containing the vulnerabilities.
Memory Leak Associated with Crafted IP Packets
+---------------------------------------------
There is no specific configuration necessary for a device to be
vulnerable to the memory leak associated with crafted IP packets. If
the Zone-Based Firewall is configured, the device is vulnerable.
Memory Leak in HTTP Inspection
+-----------------------------
For the device to be vulnerable to the memory leak associated with
HTTP inspection, the Zone-Based Firewall must be configured to
perform HTTP inspection with the Zone-Based Firewall.
To determine whether a device is configured for HTTP inspection,
enter the command show policy-map type inspect zone-pair | include
Match: protocol http. The following example shows a vulnerable device
configured with Cisco IOS Zone-Based Policy Firewall HTTP inspection:
Router#show policy-map type inspect zone-pair | include Match: protocol http
Match: protocol http
Memory Leak in H.323 Inspection
+------------------------------
For a device to be vulnerable to the memory leak associated with
H.323 inspection, the Zone-Based Firewall must be configured to
perform H.323 inspection. To determine if a device is configured for
H.323 inspection enter the command show policy-map type inspect
zone-pair | include Match: protocol h323. If the output contains
"Match: protocol h323" the device is vulnerable. The following
example shows a vulnerable device configured with Cisco IOS
Zone-Based Policy Firewall H.323 inspection:
Router# show policy-map type inspect zone-pair | include Match: protocol h323
Match: protocol h323
Memory Leak in SIP Inspection
+----------------------------
The device is vulnerable if the configuration has either a Layer 4 or
Layer 7 Session Initiation Protocol (SIP) application-specific policy
configured, and the policy is applied to any firewall zone. To
determine whether a device is configured for SIP inspection enter the
command show policy-map type inspect zone-pair | include Match:
protocol sip. If the output contains "Match: protocol sip" the device
is vulnerable. The following example shows a vulnerable device
configured with Cisco IOS Zone-Based Policy Firewall SIP inspection:
Router# show policy-map type inspect zone-pair | include Match: protocol sip
Match: protocol sip
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 15.0(1)M1 with an installed image name of
C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS and NX-OS
Software Reference Guide" at http://www.cisco.com/web/about/security/
intelligence/ios-ref.html.
Products Confirmed Not Vulnerable
+--------------------------------
The following products are confirmed not vulnerable:
* Cisco PIX 500 Series Firewall
* Cisco ASA 5500 Series Adaptive Security Appliance
* Firewall Services Module (FWSM) for Catalyst 6500 Series Switches
and 7600 Series Routers
* Virtual Firewall (VFW) application on the multiservice blade
(MSB) on the Cisco XR 12000 Series Router
* Cisco ACE Application Control Engine Module
* Cisco IOS devices configured with legacy Cisco IOS Firewall
support
* Cisco IOS XR Software
* Cisco IOS XE Software
* Cisco Catalyst 6500 Series ASA Services Module
* Context-Based Access Control (CBAC)
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Firewalls are networking devices that control access to the network
assets of an organization. Firewalls are often positioned at the
entrance points of networks. Cisco IOS Software provides a set of
security features that allow the configuration of a firewall policy
to match an organization's requirements.
The vulnerabilities described in this advisory affect the Zone-Based
Firewall feature. The Zone-Based Policy Firewall (also known as
Zone-Policy Firewall or ZFW) updates the firewall configuration from
the older interface-based model to a more flexible, more easily
understood zone-based model. Interfaces are assigned to zones, and
inspection policy is applied to traffic moving between the zones.
Inter-zone policies offer considerable flexibility and granularity,
so different inspection policies can be applied to multiple host
groups connected to the same router interface.
More information on the Zone-Based Firewall is available at:
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080…
Memory Leak Associated with Crafted IP Packets
+---------------------------------------------
A vulnerability exists in the Zone-Based Firewall implementation in
Cisco IOS Software that could allow a remote attacker to cause an
affected device to reload or to trigger memory leaks that may result
in system instabilities. These vulnerabilities are triggered when the
device that is running Cisco IOS Software processes crafted IP
packets. Only traffic destined to an IP address configured on the
device can trigger the vulnerability; transit traffic is not an
exploit vector.
This vulnerability is documented in Cisco bug ID CSCto89536
and has been assigned the Common Vulnerabilities and Exposures
(CVE) identifier CVE-2012-1310.
Memory Leak in HTTP Inspection
+---------------------------------------------
The HTTP Inspection Engine feature allows users to configure their
Cisco IOS Firewall to detect and filter HTTP connections-such as
tunneling over port 80, unauthorized request methods, and non-HTTP
compliant file transfers-that are not authorized within the scope of
the security policy configuration.
A vulnerability exists in the implementation of the Cisco IOS
Software HTTP inspection feature that could allow a remote attacker
to cause an affected device to reload or to trigger memory leaks that
may result in system instabilities. This vulnerability is triggered
when the device that is running Cisco IOS Software processes certain
HTTP messages. Transit HTTP traffic is an exploit vector.
This vulnerability is documented in Cisco bug ID CSCtq36153
and has been assigned CVE ID CVE-2012-0387.
More information on HTTP inspection is available at:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_fwapc.ht…
Memory Leak in H.323 Inspection
+---------------------------------------------
H.323 is the ITU standard for real-time multimedia communications and
conferencing over packet-based (IP) networks. A vulnerability exists
in the implementation of the Cisco IOS Software H.323 inspection
feature that could allow a remote attacker to cause an affected
device to reload or to trigger memory leaks that may result in system
instabilities. This vulnerability is triggered when the device that
is running Cisco IOS Software processes malformed H.323 messages.
Transit H.323 traffic is an exploit vector.
This vulnerability is documented in Cisco bug ID CSCtq45553
and has been assigned the CVE ID CVE-2012-0388.
More information on H.323 inspection is available at:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2…
Memory Leak in SIP Inspection
+---------------------------------------------
SIP is a popular signaling protocol that is used to manage voice and
video calls across IP networks, such as the Internet. SIP is
responsible for handling all aspects of call setup and termination.
Voice and video are the most popular types of sessions that SIP
handles, but the protocol has the flexibility to accommodate other
applications that require call setup and termination. SIP call
signaling can use UDP (port 5060), TCP (port 5060), or Transport
Layer Security (TLS; TCP port 5061) as the underlying transport
protocol.
A vulnerability exists in the implementation of the Cisco IOS SIP
inspection feature that could allow a remote attacker to cause an
affected device to reload or to trigger memory leaks that may result
in system instabilities. This vulnerability is triggered when the
device that is running Cisco IOS Software processes crafted SIP
messages. Transit SIP traffic is an exploit vector.
This vulnerability is documented in Cisco bug ID CSCti46171
and has been assigned CVE ID CVE-2012-1315.
More information on SIP inspection is available at:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_sip_al…
Memory Leak Detection
+---------------------------------------------
Detected memory leaks can be viewed using the command show memory
debug leaks chunks in privileged EXEC mode, as shown in the following
example:
Router# show memory debug leaks chunks
Adding blocks for GD... I/O memory Address Size Alloc_pc PID
Alloc-Proc Name Chunk Elements:
AllocPC Address Size Parent Name Processor memory Address Size
Alloc_pc PID Alloc-Proc Name
4733113C 188 419CB164 129 IP Input FW h225 tpkt
The previous example shows a memory leak in the process FW h225 tpkt.
The show memory debug leaks command was introduced in Cisco IOS
Software versions 12.3(8)T1 and 12.2(25)S.
Caution: All show memory debug commands must be used on customer
networks only to diagnose the router for memory leaks when memory
depletion is observed. These commands may cause high CPU utilization
and may cause time-sensitive protocols to flap. These commands are
recommended to be used in maintenance windows.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerabilities in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the
environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* Memory Leak associated with crafted IP packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Memory Leak in HTTP inspection
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Memory Leak in H.323 inspection
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Memory Leak in SIP Inspection
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities may result in a
reload of the affected device. Repeated exploit attempts may result
in a sustained denial of service (DoS) attack.
Software Versions and Fixes
===========================
When considering software upgrades, customers are advised to consult
the Cisco Security Advisories and Responses archive at:
http://www.cisco.com/go/psirt and review subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and
software configurations will continue to be supported properly by the
new release. If the information is not clear, customers are advised
to contact the Cisco Technical Assistance Center (TAC) or their
contracted maintenance providers.
Cisco IOS Software
+-----------------
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release column. The First Fixed Release for All Advisories in the
March 2012 Bundled Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco
IOS Software Security Advisory bundled publication. Cisco recommends
upgrading to the latest available release, where possible.
The Cisco IOS Software Checker allows customers to search for Cisco
Security Advisories that address specific Cisco IOS Software
releases. This tool is available on the Cisco Security Intelligence
Operations (SIO) portal at:
http://tools.cisco.com/security/center/selectIOSVersion.x
+------------------------------------------+
| Major | Availability of |
| Release | Repaired Releases |
|------------+-----------------------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.0-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------------------------------------|
| There are no affected 12.0 based |
| releases |
|------------------------------------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.2-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------------------------------------|
| There are no affected 12.2 based |
| releases |
|------------------------------------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.3-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------------------------------------|
| There are no affected 12.3 based |
| releases |
|------------------------------------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 12.4-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4 | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4GC | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 12.4JA | Not | 12.4(23c)JA4 |
| | vulnerable | 12.4(25e)JA |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4JAX | Not | First fixed |
| | vulnerable | in Release |
| | | 12.4JA |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JDA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JDC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JDD | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JDE | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JHA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JHB | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JHC | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JK | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4JL | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4JX | Not | First fixed |
| | vulnerable | in Release |
| | | 12.4JA |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4JY | Not | First fixed |
| | vulnerable | in Release |
| | | 12.4JA |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4JZ | Not | First fixed |
| | vulnerable | in Release |
| | | 12.4JA |
|------------+--------------+--------------|
| | 12.4(22)MD3; | 12.4(22)MD3; |
| 12.4MD | Available on | Available on |
| | 30-MAR-12 | 30-MAR-12 |
|------------+--------------+--------------|
| 12.4MDA | 12.4(24) | 12.4(24) |
| | MDA11 | MDA11 |
|------------+--------------+--------------|
| 12.4MDB | 12.4(24) | 12.4(24) |
| | MDB5a | MDB5a |
|------------+--------------+--------------|
| 12.4MDC | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | Releases up | organization |
| | to and | per the |
| 12.4MR | including | instructions |
| | 12.4(19)MR3 | in Obtaining |
| | are not | Fixed |
| | vulnerable. | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4MRA | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4MRB | First fixed | First fixed |
| | in Release | in Release |
| | 15.0M | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4SW | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | 12.4(24)T7 | |
| | | |
| | Releases up | 12.4(15)T17 |
| 12.4T | to and | 12.4(24)T7 |
| | including | |
| | 12.4(15)T17 | |
| | are not | |
| | vulnerable. | |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XA | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XB | Not | First fixed |
| | vulnerable | in Release |
| | | 12.4T |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XC | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XD | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XE | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XF | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XG | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XJ | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XK | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4XL | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XM | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4XN | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4XP | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XQ | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | |
| | First fixed | |
| | in Release | |
| | 12.4T | Vulnerable; |
| 12.4XR | Releases up | First fixed |
| | to and | in Release |
| | including | 12.4T |
| | 12.4(15)XR10 | |
| | are not | |
| | vulnerable. | |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XT | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 12.4XV | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XW | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | | Vulnerable; |
| 12.4XY | Not | First fixed |
| | vulnerable | in Release |
| | | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4XZ | First fixed | First fixed |
| | in Release | in Release |
| | 15.0M | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 12.4YA | First fixed | First fixed |
| | in Release | in Release |
| | 15.0M | 15.0M |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4YB | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| | contact your | contact your |
| | support | support |
| | organization | organization |
| | per the | per the |
| 12.4YD | instructions | instructions |
| | in Obtaining | in Obtaining |
| | Fixed | Fixed |
| | Software | Software |
| | section of | section of |
| | this | this |
| | advisory. | advisory. |
|------------+--------------+--------------|
| 12.4YE | 12.4(24)YE3d | 12.4(24)YE3d |
|------------+--------------+--------------|
| 12.4YG | 12.4(24)YG4 | 12.4(24)YG4 |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 15.0-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| 15.0M | 15.0(1)M8 | 15.0(1)M8 |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 15.0MR | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 15.0MRA | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | 15.0(1)S5 |
| | | Cisco IOS XE |
| | Not | devices: |
| 15.0S | vulnerable | Please see |
| | | Cisco IOS XE |
| | | Software |
| | | Availability |
|------------+--------------+--------------|
| 15.0SA | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| 15.0SE | Not | 15.0(1)SE1 |
| | vulnerable | |
|------------+--------------+--------------|
| | | 15.0(2)SG2 |
| | | Cisco IOS XE |
| | Not | devices: |
| 15.0SG | vulnerable | Please see |
| | | Cisco IOS XE |
| | | Software |
| | | Availability |
|------------+--------------+--------------|
| 15.0SY | Not | 15.0(1)SY1 |
| | vulnerable | |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 15.0XA | First fixed | First fixed |
| | in Release | in Release |
| | 15.1T | 15.1T |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | First fixed |
| | | in Release |
| | | 15.0SG Cisco |
| 15.0XO | Not | IOS XE |
| | vulnerable | devices: |
| | | Please see |
| | | Cisco IOS XE |
| | | Software |
| | | Availability |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 15.1-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| 15.1EY | Not | 15.1(2)EY2 |
| | vulnerable | |
|------------+--------------+--------------|
| 15.1GC | 15.1(2)GC2 | 15.1(2)GC2 |
|------------+--------------+--------------|
| | 15.1(4)M3 | 15.1(4)M4; |
| 15.1M | | Available on |
| | | 30-MAR-12 |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 15.1MR | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| | | 15.1(3)S2 |
| | | Cisco IOS XE |
| | Not | devices: |
| 15.1S | vulnerable | Please see |
| | | Cisco IOS XE |
| | | Software |
| | | Availability |
|------------+--------------+--------------|
| 15.1SG | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| | | Vulnerable; |
| | | contact your |
| | | support |
| | | organization |
| | | per the |
| 15.1SNG | Not | instructions |
| | vulnerable | in Obtaining |
| | | Fixed |
| | | Software |
| | | section of |
| | | this |
| | | advisory. |
|------------+--------------+--------------|
| 15.1SNH | Not | Not |
| | vulnerable | vulnerable |
|------------+--------------+--------------|
| 15.1T | 15.1(3)T3 | 15.1(3)T3 |
|------------+--------------+--------------|
| | Vulnerable; | Vulnerable; |
| 15.1XB | First fixed | First fixed |
| | in Release | in Release |
| | 15.1T | 15.1T |
|------------+--------------+--------------|
| | | First Fixed |
| | | Release for |
| | | All |
| | | Advisories |
| Affected | First Fixed | in the March |
| 15.2-Based | Release | 2012 Cisco |
| Releases | | IOS Software |
| | | Security |
| | | Advisory |
| | | Bundled |
| | | Publication |
|------------+--------------+--------------|
| 15.2GC | 15.2(1)GC2 | 15.2(1)GC2 |
|------------+--------------+--------------|
| | | 15.2(1)S1 |
| | | Cisco IOS XE |
| | | devices: |
| 15.2S | Not | Please see |
| | vulnerable | Cisco IOS XE |
| | | Software |
| | | Availability |
| | | |
|------------+--------------+--------------|
| | | 15.2(1)T2 |
| | 15.2(1)T2 | 15.2(2)T1 |
| 15.2T | 15.2(2)T | 15.2(3)T; |
| | 15.2(2)T1 | Available on |
| | | 30-MAR-12 |
+------------------------------------------+
* Cisco Catalyst 3550 Series Switches support the Internet Key
Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429
when the devices are running Layer 3 images; however, this product
reached the End of Software Maintenance milestone. Cisco 3550 Series
SMI Switches that are running Layer 2 images do not support IKE and
are not vulnerable. No other Cisco devices that run 12.2SE-based
software are vulnerable.
Cisco IOS XE Software
+--------------------
Cisco IOS XE Software is not affected by the vulnerabilities that are
disclosed in this document.
For a mapping of Cisco IOS XE Software releases to Cisco IOS Software
releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S
Release Notes, and Cisco IOS XE 3SG Release Notes.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by any of the vulnerabilities
disclosed in the March 2012 Cisco IOS Software Security Advisory
Bundled Publication.
Workarounds
===========
There are no workarounds that mitigate the vulnerabilities described
in this advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerabilities described in this advisory. Prior to deploying
software, customers are advised to consult their maintenance
providers or check the software for feature set compatibility and
known issues that are specific to their environments.
Customers may only install and expect support for feature sets they
have purchased. By installing, downloading, accessing, or otherwise
using such software upgrades, customers agree to follow the terms of
the Cisco software license at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, upgrades should be
obtained through the Software Center on Cisco.com at:
http://www.cisco.com
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerabilities that are described in this advisory.
These vulnerabilities were discovered by Cisco during normal internal
security testing.
Status of This Notice: Final
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2012-March-28 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco is available
on Cisco.com at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.…
This web page includes instructions for press inquiries regarding Cisco
Security Advisories.
All Cisco Security Advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2012 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFPcSUMQXnnBKKRMNARCA3iAP48lwmrPR8E6Wi6CVHpEpqoDUnfuHJA/e4E
tz+jl1voLwD+NNC2Y5SFONTzfed+n4Ib3cxVLPAwafgVDlr+HhITJgc=
=Na2V
-----END PGP SIGNATURE-----
10 years, 3 months
- 1
- 0
Cisco Security Advisory: Cisco IOS Software Network Address Translation Vulnerability
by Cisco Systems Product Security Incident Response Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS Software Network Address Translation
Vulnerability
Advisory ID: cisco-sa-20120328-nat
Revision 1.0
For Public Release 2012 March 28 16:00 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
The Cisco IOS Software Network Address Translation (NAT) feature
contains a denial of service (DoS) vulnerability in the translation of
Session Initiation Protocol (SIP) packets.
The vulnerability is caused when packets in transit on the vulnerable
device require translation on the SIP payload.
Cisco has released free software updates that address this
vulnerability. A workaround that mitigates the vulnerability is
available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled
publication includes nine Cisco Security Advisories. Each advisory
lists the Cisco IOS Software releases that correct the vulnerability
or vulnerabilities detailed in the advisory as well as the Cisco IOS
Software releases that correct all vulnerabilities in the March 2012
bundled publication.
Individual publication links are in "Cisco Event Response: Semi-Annual
Cisco IOS Software Security Advisory Bundled Publication" at the
following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html
Affected Products
=================
Vulnerable Products
+------------------
Cisco devices that are running Cisco IOS Software are vulnerable when
they are configured for NAT and contain support for NAT for Session
Initiation Protocol.
There are two methods to determine if a device is configured for
NAT:
* Determine if NAT is active on a running device.
* Determine if NAT commands are included in the device
configuration.
Determine if NAT is Active on a Running Device
+---------------------------------------------
The preferred method to verify whether NAT is enabled on a Cisco IOS
device is to log in to the device and issue the "show ip nat statistics"
command. If NAT is active, the sections "Outside interfaces" and "Inside
interfaces" will each include at least one interface. The following
example shows a device on which the NAT feature is active:
Router#show ip nat statistics
Total translations: 2 (0 static, 2 dynamic; 0 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet1
Hits: 135 Misses: 5
Expired translations: 2
Dynamic mappings:
-- Inside Source
access-list 1 pool mypool refcount 2
pool mypool: netmask 255.255.255.0
start 192.168.10.1 end 192.168.10.254
type generic, total addresses 14, allocated 2 (14%), misses 0
Depending on the Cisco IOS Software release, the interface lists can be
in the lines following the "Outside interfaces" and "Inside interfaces".
In releases that support the "section" filter on "show" commands, the
administrator can determine whether NAT is active by using the "show
ip nat statistics | section interfaces" command, as illustrated in the
following example:
Router> show ip nat statistics | section interfaces
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/1
Router>
Determine if NAT Commands are Included in the Device Configuration
+-----------------------------------------------------------------
Alternatively, to determine whether NAT has been enabled in the Cisco
IOS Software configuration, either the "ip nat inside" or "ip nat
outside" commands must be present in different interfaces, or in the
case of the NAT Virtual Interface, the "ip nat enable" interface command
will be present.
Determine the Cisco IOS Software Release
+---------------------------------------
To determine the Cisco IOS Software release that is running on a Cisco
product, administrators can log in to the device and issue the "show
version" command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or "Cisco
IOS Software." The image name displays in parentheses, followed by
"Version" and the Cisco IOS Software release name. Other Cisco devices
do not have the "show version" command or may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 15.0(1)M1 with an installed image name of
C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS and NX-OS
Software Reference Guide" at:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
Cisco IOS Software NAT SIP Memory Starvation Vulnerability
NAT SIP application level gateway (ALG) translation of SIP packets could
cause a memory resource exhaustion condition that can lead to a DoS
condition, which could cause the reload of the vulnerable device.
NAT for SIP is performed on UDP port 5060 packets by default. The
port is configurable using the "ip nat service sip udp port" global
configuration command.
This vulnerability is documented in Cisco bug ID CSCti35326 and has been
assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0383.
Vulnerability Scoring Details
=============================
Cisco has scored the vulnerability in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this
security advisory is in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps organizations determine the urgency and priority
of a response.
Cisco has provided a base and temporal score. Customers can also
compute environmental scores that help determine the impact of the
vulnerability in their own networks.
Cisco has provided additional information regarding CVSS at the
following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to compute the environmental
impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCti35326 ("Cisco IOS Software NAT SIP Memory Starvation Vulnerability")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of this vulnerability may cause incrementing
use of memory that will not be released until the device is reloaded.
This memory consumption could lead to a DoS condition and cause the
vulnerable device to become unresponsive or reload.
Software Versions and Fixes
===========================
Cisco IOS Software
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release column. The First Fixed Release for All Advisories in the
March 2012 Bundled Publication column lists the earliest possible
releases that correct all the published vulnerabilities in the Cisco
IOS Software Security Advisory bundled publication. Cisco recommends
upgrading to the latest available release, where possible.
The Cisco IOS Software Checker allows customers to search for Cisco
Security Advisories that address specific Cisco IOS Software
releases. This tool is available on the Cisco Security Intelligence
Operations (SIO) portal at:
http://tools.cisco.com/security/center/selectIOSVersion.x
+------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+-------------------------------------------------|
| Affected | |First Fixed Release for All |
|12.0-Based|First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|------------------------------------------------------------|
| There are no affected 12.0 based releases |
|------------------------------------------------------------|
| Affected | |First Fixed Release for All |
|12.2-Based|First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|------------------------------------------------------------|
| There are no affected 12.2 based releases |
|------------------------------------------------------------|
| Affected | |First Fixed Release for All |
|12.3-Based|First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|------------------------------------------------------------|
| There are no affected 12.3 based releases |
|------------------------------------------------------------|
| Affected | |First Fixed Release for All |
|12.4-Based|First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|----------+--------------------+----------------------------|
|12.4 |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
| |Releases up to and |Vulnerable; contact your |
| |including 12.4(24) |support organization per the|
|12.4GC |GC3a are not |instructions in Obtaining |
| |vulnerable. |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
|12.4JA |Not vulnerable |12.4(23c)JA4 |
| | |12.4(25e)JA |
|----------+--------------------+----------------------------|
|12.4JAX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4JDA |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4JDC |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4JDD |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4JDE |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4JHA |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4JHB |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4JHC |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4JK |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4JL |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
|12.4JX |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+--------------------+----------------------------|
|12.4JY |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+--------------------+----------------------------|
|12.4JZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4JA |
|----------+--------------------+----------------------------|
| |Only releases 12.4 |12.4(22)MD3; Available on |
|12.4MD |(24)MD5 and 12.4(24)|30-MAR-12 |
| |MD6 are vulnerable. | |
|----------+--------------------+----------------------------|
| |Releases 12.4(24) | |
| |MDA5 and prior are | |
|12.4MDA |not vulnerable; |12.4(24)MDA11 |
| |first fixed in 12.2 | |
| |(24)MDA11 | |
|----------+--------------------+----------------------------|
|12.4MDB |12.4(24)MDB4 |12.4(24)MDB5a |
|----------+--------------------+----------------------------|
|12.4MDC |Not vulnerable |Not vulnerable |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4MR |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4MRA |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
|12.4MRB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
|12.4SW |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
| |Only releases 12.4 |12.4(15)T17 |
|12.4T |(24)T5 and 12.4(24) |12.4(24)T7 |
| |T6 are vulnerable. | |
|----------+--------------------+----------------------------|
|12.4XA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
|12.4XB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4T |
|----------+--------------------+----------------------------|
|12.4XC |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
|12.4XD |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
|12.4XE |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
|12.4XF |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
|12.4XG |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
|12.4XJ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
|12.4XK |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4XL |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
|12.4XM |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4XN |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4XP |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
|12.4XQ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
|12.4XR |Not vulnerable |Vulnerable; First fixed in |
| | |Release 12.4T |
|----------+--------------------+----------------------------|
|12.4XT |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4XV |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
|12.4XW |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
|12.4XY |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
|12.4XZ |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
|12.4YA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.0M |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4YB |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|12.4YD |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
|12.4YE |Not vulnerable |12.4(24)YE3d |
|----------+--------------------+----------------------------|
|12.4YG |Not vulnerable |12.4(24)YG4 |
|----------+--------------------+----------------------------|
| Affected | |First Fixed Release for All |
|15.0-Based|First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|----------+--------------------+----------------------------|
| |Only releases 15.0 | |
|15.0M |(1)M4 and 15.0(1)M5 |15.0(1)M8 |
| |are vulnerable. | |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|15.0MR |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|15.0MRA |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| |Not vulnerable | |
| |Cisco IOS XE |15.0(1)S5 |
|15.0S |devices: Please see |Cisco IOS XE devices: Please|
| |Cisco IOS XE |see Cisco IOS XE Software |
| |Software |Availability |
| |Availability | |
|----------+--------------------+----------------------------|
|15.0SA |Not vulnerable |Not vulnerable |
|----------+--------------------+----------------------------|
|15.0SE |Not vulnerable |15.0(1)SE1 |
|----------+--------------------+----------------------------|
| |Not vulnerable | |
| |Cisco IOS XE |15.0(2)SG2 |
|15.0SG |devices: Please see |Cisco IOS XE devices: Please|
| |Cisco IOS XE |see Cisco IOS XE Software |
| |Software |Availability |
| |Availability | |
|----------+--------------------+----------------------------|
|15.0SY |Not vulnerable |15.0(1)SY1 |
|----------+--------------------+----------------------------|
|15.0XA |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.1T |
|----------+--------------------+----------------------------|
| |Cisco IOS XE | |
| |devices: Please see |Cisco IOS XE devices: Please|
|15.0XO |Cisco IOS-XE |see Cisco IOS-XE Software |
| |Software |Availability |
| |Availability | |
|----------+--------------------+----------------------------|
| Affected | |First Fixed Release for All |
|15.1-Based|First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|----------+--------------------+----------------------------|
|15.1EY |Not vulnerable |15.1(2)EY2 |
|----------+--------------------+----------------------------|
|15.1GC |Not vulnerable |15.1(2)GC2 |
|----------+--------------------+----------------------------|
|15.1M |Not vulnerable |15.1(4)M4; Available on |
| | |30-MAR-12 |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|15.1MR |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
| |Not vulnerable | |
| |Cisco IOS XE |15.1(3)S2 |
|15.1S |devices: Please see |Cisco IOS XE devices: Please|
| |Cisco IOS XE |see Cisco IOS XE Software |
| |Software |Availability |
| |Availability | |
|----------+--------------------+----------------------------|
| |Not vulnerable | |
| |Cisco IOS XE |Not vulnerable |
|15.1SG |devices: Please see |Cisco IOS XE devices: Please|
| |Cisco IOS XE |see Cisco IOS XE Software |
| |Software |Availability |
| |Availability | |
|----------+--------------------+----------------------------|
| | |Vulnerable; contact your |
| | |support organization per the|
|15.1SNG |Not vulnerable |instructions in Obtaining |
| | |Fixed Software section of |
| | |this advisory. |
|----------+--------------------+----------------------------|
|15.1SNH |Not vulnerable |Not vulnerable |
|----------+--------------------+----------------------------|
| |15.1(1)T4 | |
|15.1T |15.1(2)T5; Available|15.1(3)T3 |
| |on 27-APR-12 | |
| |15.1(3)T | |
|----------+--------------------+----------------------------|
|15.1XB |Not vulnerable |Vulnerable; First fixed in |
| | |Release 15.1T |
|----------+--------------------+----------------------------|
| Affected | |First Fixed Release for All |
|15.2-Based|First Fixed Release |Advisories in the March 2012|
| Releases | |Cisco IOS Software Security |
| | |Advisory Bundled Publication|
|------------------------------------------------------------|
| There are no affected 15.2 based releases |
+------------------------------------------------------------+
Cisco IOS XE Software
+--------------------
Cisco IOS XE Software is not affected by the vulnerability that is
disclosed in this document.
Cisco IOS XR Software
+--------------------
Cisco IOS XR Software is not affected by any of the vulnerabilities
disclosed in the March 2012 Cisco IOS Software Security Advisory bundled
publication.
Workarounds
===========
NAT for SIP Resource Exhaustion Vulnerability
+--------------------------------------------
This vulnerability can be mitigated by disabling NAT SIP ALG over the
UDP transport by using the "no ip nat service sip udp port 5060" global
configuration command. This command can only be configured in Cisco IOS
images that include the NAT ALG SIP feature. Layer 3 NAT translation
will continue to be performed on SIP packets but the SIP payload will
not be translated.
Obtaining Fixed Software
========================
Cisco has released free software updates that address the
vulnerability|vulnerabilities described in this advisory. Prior to
deploying software, customers are advised to consult their
maintenance providers or check the software for feature set
compatibility and known issues that are specific to their
environments.
Customers may only install and expect support for feature
sets they have purchased. By installing, downloading,
accessing, or otherwise using such software upgrades, customers
agree to follow the terms of the Cisco software license at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as set forth at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt(a)cisco.com or security-alert(a)cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, upgrades should be obtained
through the Software Center on Cisco.com at http://www.cisco.com.
Customers Using Third-Party Support Organizations
+------------------------------------------------
Customers with Cisco products that are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers,
should contact that organization for assistance with the appropriate
course of action.
The effectiveness of any workaround or fix depends on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Because of the variety of
affected products and releases, customers should consult their
service providers or support organizations to ensure that any applied
workaround or fix is the most appropriate in the intended network
before it is deployed.
Customers Without Service Contracts
+----------------------------------
Customers who purchase directly from Cisco but do not hold a Cisco
service contract and customers who make purchases through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should obtain upgrades by contacting the Cisco
Technical Assistance Center (TAC):
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac(a)cisco.com
Customers should have the product serial number available and be
prepared to provide the URL of this advisory as evidence of
entitlement to a free upgrade. Customers without service contracts
should request free upgrades through the TAC.
Refer to Cisco Worldwide Contacts at
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, instructions, and e-mail addresses for support in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco Product Security Incident Response Team (PSIRT) is not
aware of any public announcements or malicious use of the
vulnerability that is described in this advisory.
This vulnerability was found during troubleshooting of TAC service
requests.
Status of This Notice: Final
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco Security Intelligence Operations at
the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
Additionally, a text version of this advisory is clear signed with
the Cisco PSIRT PGP key and circulated among the following e-mail
addresses:
* cust-security-announce(a)cisco.com
* first-bulletins(a)lists.first.org
* bugtraq(a)securityfocus.com
* vulnwatch(a)vulnwatch.org
* cisco(a)spot.colorado.edu
* cisco-nsp(a)puck.nether.net
* full-disclosure(a)lists.grok.org.uk
Future updates of this advisory, if any, will reside on Cisco.com but
may not be announced on mailing lists. Users can monitor this
advisory's URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2012-March-28 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information about reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco is available on Cisco.com at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.….
This web page includes instructions for press inquiries
regarding Cisco Security Advisories. All Cisco Security Advisories are
available at http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAk9xNOsACgkQQXnnBKKRMNA9ZgD8DRkOzlhN25SRskCM6aUk2u1W
i09PHPREp3klD75CsG4A/2bnHzLZ6x4vSf3PzWIJWHXAPGDiZS7+JtOyp9IBbyoI
=GnDB
-----END PGP SIGNATURE-----
10 years, 3 months
- 1
- 0