FW: Updated notice on Cisco and land.c

  • Subject: FW: Updated notice on Cisco and land.c
  • From: Barry Raveendran Greene <bgreene at cisco dot com>
  • Date: Sun, 23 Nov 1997 14:00:45 +0800
  • Organization: Cisco Systems - Corporate Consulting Group
  • Reply-to: "bgreene@cisco.com" <bgreene@cisco.com>
  • Sender: owner-apops@apnic.net
    • Hello Everyone,
      Here is another update and a URL pointer to track the problem from Cisco's 
      perspective. Note that this message is going not only to the security alert 
      list (BugTraQ and First-Teams), but the general Cisco discussion list 
      (Cisco@Spot) and the core Internet operations list NANOG. So take this 
      Also, keep in mind that ANYTHING on the Internet that uses TCP/IP may 
      effected. From the customer's PC to the superservers. So, please check with 
      your other vendors. Lists of what is effected and what is not are being 
      discussed on BugTraQ.
      Barry Raveendran Greene                    |       ||        ||        |
      Senior Consultant                          |       ||        ||        |
      Corporate Consulting Engineering           |      ||||      ||||       |
      tel: +65 738-5535 ext 235                  |  ..:||||||:..:||||||:..   |
      e-mail: bgreene at cisco dot com                  |  c i s c o S y s t e m s  |
      -----Original Message-----
      From:	John Bashinski [SMTP:jbash at cisco dot com]
      Sent:	Sunday, November 23, 1997 2:56 AM
      To:	bugtraq at netspace dot org; cisco at spot dot colorado dot edu; first-teams at first dot org; 
      nanog at merit dot edu
      Cc:	ahh at cisco dot com; billw at cisco dot com; ce-group at cisco dot com; dslice at cisco dot com; 
      dweather at cisco dot com; field-alert-ext at cisco dot com; hyen at cisco dot com; kai at cisco dot com; 
      psirt at cisco dot com; psiac at cisco dot com; ricarlso at cisco dot com; ruwhite at cisco dot com; 
      sales-eng at cisco dot com; trhall at cisco dot com; wtsao at cisco dot com
      Subject:	Updated notice on Cisco and land.c
      This is an update to the previous notice. I originally planned just to have
      this updated on the Web site and to post a pointer to the updated Web page,
      but the Web posting seems to be taking a really long time, and I don't want
      to delay the notice any longer. This version will eventually (probably by the
      time most of you read this) be posted at
      That URL will be updated with future versions. We probably won't send the
      whole text out again.
      Important differences between this notice and the last one:
         o There are definitely versions of classis Cisco IOS software that are
           badly affected by the land.c attack.
         o The notice contains detailed information about which IOS versions are
         o Catalyst 5000s, and probably other Catalyst switches, are affected.
         o Various editing and advice changes... nothing really substantive.
      				-- John B.
      Field Notice:
      TCP loopback DoS Attack (land.c) and Cisco Devices
      November 22, 1997, 08:00 AM US/Pacific, Revision 2
      Somebody has released a program, known as land.c, which  can be used to
      launch denial of service attacks against various TCP implementations. The
      program sends a TCP SYN packet (a connection initiation), giving the target
      host's address as both source and destination, and using the same port on
      the target host as both source and destination.
      Classic Cisco IOS software (used on Cisco routers with product numbers
      greater than 1000, on the CGS/MGS/AGS+,  and on the CS-500) is vulnerable to
      this attack, depending on the software version. See the section on
      "Affected Cisco IOS Software Versions" in this document for information on
      affected versions.
      Cisco IOS/700 software (used on Cisco 7xx routers) is also vulnerable. The
      7xx vulnerability is more devastating than the classic Cisco IOS software
      vulnerability, but probably less dangerous for most customers, since
      firewalls separate most 7xx routers from the Internet.
      Cisco Catalyst 5000 LAN switches are vulnerable. Other Cisco Catalyst
      LAN switches are probably also vulnerable.
      The PIX firewall appears does not appear to be affected. Initial testing of
      the Centri firewall tends to indicate that it is not affected.
      We're working on characterizing other products' vulnerability to attack.
      Updates will be issued as information becomes available.
      Who is Affected
      All  Cisco IOS/700 software and Cisco Catalyst systems that can be reached
      via TCP from untrusted hosts are affected. Cisco IOS software systems that
      are running vulnerable versions and that can be reached via TCP from
      untrusted hosts are affected.  In all cases, the TCP ports reachable by the
      attack must be ports on which services are actually being provided (such as
      the TELNET port, for most systems). The attack requires spoofing the
      targets's own address, so systems behind effective anti-spoofing firewalls
      are safe.
      This vulnerability allows attackers to deny service to legitimate users and
      to administrators. Recovery may require physically visiting the affected
      hardware. Appropriate firewalls can block this attack.
      Classic Cisco IOS Software
      - ------------------------
      Classic Cisco IOS software versions fall into three groups in terms of
      vulnerability. Highly vulnerable releases may hang indefinitely, requiring
      hardware resets, when attacked. Moderately vulnerable releases will not
      accept any new TCP connections for about 30 seconds after receiving an
      attack packet, but will recover and will continue to forward packets.
      Largely invulnerable releases will continue to operate normally with
      negligible performance impact. See the section "Affected Cisco IOS Software
      Versions" in this document for information on exactly which versions are
      A configuration workaround for classic Cisco IOS software can prevent the
      problem entirely, subject to performance restrictions, for any version from
      9.21 onward. Cisco has already released software fixes that protect some
      Cisco IOS software versions, and plans to release those fixes for other
      affected versions.
      Cisco IOS/700 Software and 7xx Systems
      - ------------------------------------
      Cisco 7xx systems subjected to the attack will hang indefinitely and must be
      physically reset.  A configuration workaround for Cisco IOS/700 software can
      prevent the problem entirely. Cisco plans to release a software fix for this
      Cisco Catalyst LAN Switches
      - -------------------------
      Cisco Catalyst switches subjected to the attack will hang indefinitely and
      must be reset. Not all Catalyst products have been tested, but this is
      definitely true of the Catalyst 5000 series, and is expected to be true of
      all Catalyst switches. The only workaround is to remove the IP address from
      the Catalyst switch, or to protect the switch by firewalling it using router
      access lists or dedicated firewall products. Cisco plans to release a
      software fix for this problem.
      Other Cisco Products
      Initial tests indicate that the PIX firewall is not vulnerable to this
      attack. Tests have been conducted with versions and 4.0.7.
      Initial tests indicate that the Centri  firewall  (build 4.110) is not
      vulnerable to this attack with no exposed services configured. We have not
      yet tested the Centri product with exposed services.
      Cisco IOS Software Details
      Affected Cisco IOS Software Versions and Software Upgrades
      - --------------------------------------------------------
      There are two bugs that make Cisco IOS software vulnerable to this attack.
      Fixes exist in the field for both bugs. Bug ID CSCdi71085 makes systems
      highly vulnerable to the attack. Bug ID CSCdi87533 makes systems moderately
      vulnerable. Bug ID CSCdj61324 is a newly-created bug ID that is being used
      as a tag for integration of  the fix for CSCdi87533, plus a largely cosmetic
      change that prevents even the temporary creation of a half-open
      connection.The fix for CSCdj61324 has not yet been integrated into any
      released code, but is not necessary if the fix for CSCdi87533 is present.
      CSCdi71085 and CSCdj87533 divide Cisco IOS software versions into three
      vulnerability classes. Versions that do not have the fix for bug ID
      CSCdi71085 are highly vulnerable, and may hang indefinitely, requiring
      hardware resets, when attacked. This includes all releases before release
      10.3, as well as early 10.3, 11.0, 11.1, and 11.2 versions.
      Versions in which CSCdi71085 has been fixed, but in which CSCdi87533 is
      still present, are moderately vulnerable to the attack. These versions will
      not accept any new TCP connections for about 30 seconds after any attack
      packet is received, but will not hang completely, will continue to forward
      packets without interruption, and will recover with no long-term effects.
      CSCdi87533 has thus far been fixed only in 11.2-based releases; the fix was
      integrated in 11.2(3.4), 11.2(3.4)F, and 11.2(3.4)P.
      Versions in which both CSCdi71085 and CSCdi87533 have been fixed are largely
      invulnerable to this attack. These versions will create half-open TCP
      connections upon receiving attack packets, but will continue to accept
      legitimate TCP connections, and will delete the half-open connections within
      about 30 seconds. The performance impact of such a half-open connection
      during its lifetime is believed to be negligible.
      Future versions in which CSCdj61324 has been fixed will be invulnerable to
      the attack, and will not create half-open connections in response to attack
      packets. We believe the security advantage of the CSCdj61324 fix over the
      CSCdj87533 fix to be negligible; CSCdj61324 is largely a placeholder to be
      used for integrating fixes in future non-11.2 releases.
      If you believe that there is any possibility of hostile attack against your
      system, and if you cannot protect yourself using the configuration
      workaround given above, we strongly recommend that you upgrade to a versions
      containing the fix for CSCdi71085, since the impact of CSCdi71085 under this
      attack is very high. The fix for CSCdi71085 is available for releases based
      on 10.3, 11.0, 11.1, and 11.2, and has been in the field for quite some
      time.  Users of 11.2-based releases should upgrade to post-11.2(4) versions,
      thereby getting the fix for CSCdi87533 as well.
      Cisco intends to release fixes for CSCdj61324 (equivalent to CSCdi87533) on
      non-11.2 releases. The timetable for releasing these fixes has not yet been
      At the time of this writing, the following releases are recommended:
                       First released versions with
                       all existing fixes (*= fix for      Recommended for most
       Base Release    CSCdi87533)                         installations
       ------------    ------------------------------      --------------------
       10.3            10.3(16)                            10.3(19a)
       11.0            11.0(12), 11.0(12a)BT               11.0(17), 11.0(17)BT
       11.1            11.1(7), 11.1(7)AA, 11.1(7)CA,      11.1(15), 11.1(15)AA,
                       11.1(9)IA                           11.1(15)CA, 11.1(15)IA
       11.2            11.2(4)*, 11.2(4)F*, 11.2           11.2(10), 11.2(9)P,
       Before 10.3     End of engineering                  10.3(19a)
      As with any software upgrade, you should make sure your system configuration
      is supported by the new software before upgrading. It's especially important
      to make sure that your system has sufficient memory to support the new
      software. Upgrade planning assistance is available from Cisco's Worldwide
      Web site at http://www.cisco.com/.
      Workaround for Classic Cisco IOS Software
      - ---------------------------------------
      Classic Cisco IOS software users can use input access lists on their
      interfaces to prevent the attack packets from entering their TCP stacks.
      Input access lists are available in all Cisco IOS software versions from
      9.21 onward. Using an input access list will prevent the attack entirely,
      but may have unacceptable performance impacts on heavily loaded high-end
      routers. Traffic will still be fast-switched, but higher-speed switching
      modes may be disabled by the use of the input access lists. Use care in
      deploying this workaround on heavily loaded routers.
      If you have no existing input access lists, create a new IP extended access
      list. Use a presently-unused number between 100 and 199. The access list
      must have an entry for each IP address configured on the system. Deny
      packets from each address to itself.  For example:
          access-list 101 deny tcp
          access-list 101 deny tcp
          access-list 101 permit ip
      If you have existing access lists, you'll need to merge the new entries in
      an appropriate way, generally at the top of the list. The access list should
      be applied incoming on all interfaces, so a fragment of a total router
      configuration might look like this:
          interface ethernet 0
          ip address
          ip access-group 101 in
          interface ethernet 1
          ip address
          ip access-group 101 in
          access-list 101 deny tcp
          access-list 101 deny tcp
          access-list 101 permit ip
      Cisco IOS/700 Software Details
      All Cisco IOS/700 software versions are vulnerable to this attack. Cisco
      plans to release a software fix. The time of release has not been set.
      Workaround for Cisco IOS/700
      - --------------------------
      Add the following configuration command to any profile that may be active
      when connected to a potentially hostile network:
         set ip filter tcp in source <7xx IP address> destination <7xx IP address> 
      This will completely protect the 7xx system. We believe that 7xx
      configurations in which this command has unacceptable performance or other
      impact are extremely rare if they exist at all.
      Cisco Catalyst LAN Switch Details
      Cisco Catalyst 5000 LAN switches are vulnerable to attack. Other Cisco
      Catalyst LAN switches are believed to be vulnerable. Cisco plans to release
      software fixes for the vulnerability. The time of release has not been set.
      The attack may be avoided by not assigning an IP address to the Catalyst
      switch. However, this has the effect of disabling all remote management.
      Depending on its location in the network, it may be possible to protect the
      switch with router access lists or dedicated firewalls. An example of an
      appropriate Cisco router access list entry for specifically protecting an
      individual switch would be:
          access-list 101 deny ip <switch-address> <switch-address>
      Note that this is not a complete access list. Other, more general filters
      are feasible.
      Using Cisco Products to Protect Other Systems
      We do not believe that this attack can be used against systems behind our
      dedicated firewall products, the PIX and Centri firewalls, unless
      general-purpose tunnels have been enabled through the firewalls.  Such
      configurations are not recommended and we believe them to be uncommon.
      Properly designed anti-spoofing access lists at border routers can be used
      to prevent the attack from entering a private network from the Internet. Use
      the access lists to filter out packets whose IP source addresses are on your
      internal net, but which are arriving from interfaces connected to the
      outside Internet.
      Exploitation and Public Announcements
      Cisco has had multiple reports of this vulnerability.
      Most exploitation seems to be using the original program, which sends one
      packet at a time. Floods of invalid packets have not been reported.
      This issue has been widely discussed in a variety of Internet forums.
      Exploitation code is widely available to the public.
      Cisco first heard of this problem on the morning of Friday, November 21.
      Distribution of this Notice
      This notice is being sent to the following Internet mailing lists and
         * cisco at spot dot colorado dot edu
         * comp.dcom.sys.cisco
         * bugtraq at netspace dot org
         * first-teams at first dot org (includes CERT/CC)
         * nanog at merit dot edu
      Updates will be sent to some or all of these, as appropriate.
      This notice will be posted in the "Field Notices" section of Cisco's
      Worldwide Web site, which can be found under "Technical Tips" in the
      "Service and Support" section. The URL will be
      The copy on the Worldwide Web will be updated as appropriate.
      Cisco Security Procedures
      Please report security issues with Cisco products to
      security-alert at cisco dot com.
      Revision History
       Revision 1, 14:00,
       21-NOV-1997               Initial revision
       Revision 2, 08:00         Add information about highly vulnerable
       22-NOV-1997               IOS versions. Add detailed information about
                                 affected version numbers. Add specific bug IDs.
                                 Add upgrade recommendations. Add first
                                 information about Catalyst LAN switches. General
                                 editing and reformatting.
      This notice is copyright 1997 by Cisco Systems, Inc. This notice may be
      redistributed freely provided that redistributed copies are complete and
      unmodified, including all date and version information.
      -----BEGIN PGP SIGNATURE-----
      Version: PGP for Personal Privacy 5.0
      Charset: noconv
      -----END PGP SIGNATURE-----
      Version: PGP for Personal Privacy 5.0
      -----END PGP PUBLIC KEY BLOCK-----
      To unsubscribe: send "unsubscribe" to apops-request at apnic dot net