[apops] Cisco Security Advisory: Crafted IP Option Vulnerability

  • To: apops at apops dot net
  • Subject: [apops] Cisco Security Advisory: Crafted IP Option Vulnerability
  • From: Cisco Systems Product Security Incident Response Team <psirt at cisco dot com>
  • Date: Wed, 24 Jan 2007 12:00:00 -0500
  • Cc: psirt at cisco dot com
  • List-archive: <http://www.apnic.net/mailing-lists/apops>
  • List-help: <mailto:apops-request@apops.net?subject=help>
  • List-id: Asia Pacific Operators Forum <apops.apops.net>
  • List-post: <mailto:apops@apops.net>
  • List-subscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=subscribe>
  • List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=unsubscribe>
  • Prevent-nondelivery-report:
  • Reply-to: psirt@cisco.com
  • Sender: nobody@cisco.com
    • Hash: SHA1
      
      Cisco Security Advisory: Crafted IP Option Vulnerability
      
      Advisory ID: cisco-sa-20070124-crafted-ip-option
      
      http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
      
      Revision 1.0
      
      For Public Release 2007 January 24 1600 UTC (GMT)
      
      +--------------------------------------------------------------------
      
      Contents
      ========
      
          Summary
          Affected Products
          Details
          Vulnerability Scoring Details
          Impact
          Software Version and Fixes
          Workarounds
          Obtaining Fixed Software
          Exploitation and Public Announcements
          Status of this Notice: FINAL
          Distribution
          Revision History
          Cisco Security Procedures
      
      - ---------------------------------------------------------------------
      
      Summary
      =======
      
      Cisco routers and switches running Cisco IOS® or Cisco IOS XR
      software may be vulnerable to a remotely exploitable crafted IP
      option Denial of Service (DoS) attack. Exploitation of the
      vulnerability may potentially allow for arbitrary code execution. The
      vulnerability may be exploited after processing an Internet Control
      Message Protocol (ICMP) packet, Protocol Independent Multicast
      version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet,
      or URL Rendezvous Directory (URD) packet containing a specific
      crafted IP option in the packet's IP header. No other IP protocols
      are affected by this issue.
      
      Cisco has made free software available to address this vulnerability
      for affected customers.
      
      There are workarounds available to mitigate the effects of the
      vulnerability.
      
      This vulnerability was discovered during internal testing.
      
      This advisory is available at 
      http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
      
      Affected Products
      =================
      
      Vulnerable Products
      +------------------
      
      This issue affects all Cisco devices running Cisco IOS or Cisco IOS
      XR software and configured to process Internet Protocol version 4
      (IPv4) packets. Devices which run only Internet Protocol version 6
      (IPv6) are not affected.
      
      This vulnerability is present in all unfixed versions of Cisco IOS
      software, including versions 9.x, 10.x, 11.x and 12.x.
      
      This vulnerability is present in all unfixed versions of Cisco IOS XR
      software, including versions 2.0.X, 3.0.X, and 3.2.X.
      
      All versions of Cisco IOS or Cisco IOS XR prior to the versions
      listed in the Fixed Software table below may be susceptible to this
      vulnerability.
      
      To determine the software running on a Cisco product, log in to the
      device and issue the "show version" command to display the system
      banner. Cisco IOS software will identify itself as "Internetwork
      Operating System Software" or simply "IOS". On the next line of
      output, the image name will be displayed between parentheses,
      followed by "Version" and the IOS release name. Cisco IOS XR software
      will identify itself as "Cisco IOS XR Software" followed by "Version"
      and the version number. Other Cisco devices will not have the show
      version command or will give different output.
      
      The following example identifies a Cisco product running Cisco IOS
      release 12.2(14)S16 with an installed image name of C7200-IS-M:
      
          Cisco Internetwork Operating System Software
          IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(14)S16, 
           RELEASE SOFTWARE (fc1)
      
      The release train label is "12.2".
      
      The next example shows a product running IOS release 12.3(7)T12 with
      an image name of C7200-IK9S-M:
      
          Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(7)T12, 
           RELEASE SOFTWARE (fc1)
      
      Additional information about Cisco IOS Banners is available at
      http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml#3
      
      Cisco IOS XR Software is a member of the Cisco IOS software family
      that uses a microkernel-based distributed operating system
      infrastructure. Cisco IOS XR runs only on Cisco Carrier Routing
      System 1 (CRS-1) and Cisco XR 12000 series routers.
      
      Additional information about Cisco IOS XR is available at 
      http://www.cisco.com/en/US/products/ps5845/index.html
      
      The following example shows partial output from the show version
      command which identifies a Cisco product running Cisco IOS XR release
      3.3.0:
      
          RP/0/RP0/CPU0:router#show version
          Cisco IOS XR Software, Version 3.3.0 
          Copyright (c) 2006 by cisco Systems, Inc. 
          ROM: System Bootstrap, Version 1.32(20050525:193559) [CRS-1 ROMMON]
      
      Products Confirmed Not Vulnerable
      +--------------------------------
      
      Cisco devices that do not run Cisco IOS or Cisco IOS XR software are
      not affected. CatOS software is not affected by this issue.
      
      No other Cisco products are currently known to be affected by this
      vulnerability.
      
      Details
      =======
      
      This vulnerability may be exploited when an affected device processes
      a packet that meets all three of the following conditions:
      
      +---------------------------------------+
      | 1. The packet contains a specific     |
      | crafted IP option.                    |
      |---------------------------------------|
      | AND                                   |
      |---------------------------------------|
      | 2. The packet is one of the following |
      | protocols:                            |
      |---------------------------------------|
      |   * ICMP - Echo (Type 8) - 'ping'     |
      |---------------------------------------|
      |   * ICMP - Timestamp (Type 13)        |
      |---------------------------------------|
      |   * ICMP - Information Request (Type  |
      |     15)                               |
      |---------------------------------------|
      |   * ICMP - Address Mask Request (Type |
      |     17)                               |
      |---------------------------------------|
      |   * PIMv2 - IP protocol 103           |
      |---------------------------------------|
      |   * PGM - IP protocol 113             |
      |---------------------------------------|
      |   * URD - TCP Port 465                |
      |---------------------------------------|
      | AND                                   |
      |---------------------------------------|
      | 3. The packet is sent to a physical   |
      | or virtual IPv4 address configured on |
      | the affected device.                  |
      +---------------------------------------+
      
      No other ICMP message types are affected by this issue.
      
      No other IP protocols are affected by this issue.
      
      No other TCP services are affected by this issue.
      
      The packet can be sent from a local network or from a remote network.
      
      The source IP address of the packet can be spoofed or non-spoofed.
      
      Packets which transit the device (packets not sent to one of the
      device's IP addresses) do not trigger the vulnerability and the
      device is not affected.
      
      This vulnerability is documented in these Bug IDs:
      
        * Cisco Bug ID CSCec71950 for Cisco IOS
        * Cisco Bug ID CSCeh52410 for Cisco IOS XR
      
      Cisco IOS
      +--------
      
      A crafted packet addressed directly to a vulnerable device running
      Cisco IOS software may result in the device reloading or may allow
      execution of arbitrary code.
      
      Cisco IOS XR
      +-----------
      
      A crafted packet addressed directly to a vulnerable device running
      Cisco IOS XR software may result in the ipv4_io process restarting or
      may allow execution of arbitrary code. CRS-1 Nodes that run the
      ipv4_io process include Route Processors (RP), Distributed Route
      Processors (DRP), Modular Services Cards (MSC), and XR 12000 Line
      Cards. While the ipv4_io process is restarting, all ICMP traffic
      destined for the device itself and exception punts will be dropped.
      Examples of exception punts include packets having IP header
      information that requires further processing such as IP options,
      Time-to-Live equal to 0 or 1, and layer-2 keepalives. CLNS traffic to
      the Node or Line Card is not affected. If the ipv4_io process is
      restarted several times consecutively, the CRS-1 Node or XR 12000
      Line Card may reload, causing a Denial of Service (DoS) condition for
      the transit traffic switched on that Node or Line card.
      
      Devices Configured for ICMP Message Types
      +----------------------------------------
      
      ICMP Type 8
      +----------
      
      By default, devices running all Cisco IOS and Cisco IOS XR versions
      will process ICMP echo-request (Type 8) packets. This behavior cannot
      be modified.
      
      ICMP Type 13
      +-----------
      
      By default, devices running all Cisco IOS versions will process ICMP
      timestamp (Type 13) packets. This behavior cannot be modified.
      
      By default, devices running all Cisco IOS XR versions will NOT
      process ICMP timestamp (Type 13) packets. This behavior cannot be
      modified.
      
      ICMP Type 15
      +-----------
      
      With the introduction of CSCdz50424, by default routers will NOT
      process ICMP information request (Type 15) packets. Releases of Cisco
      IOS that contain CSCdz50424 include 12.3, 12.3T, 12.4, 12.4T, later
      12.0S and later 12.2S. See CSCdz50424 for complete release  
      information.
      
      A router running a Cisco IOS release containing CSCdz50424 that has
      been modified to process ICMP information request packets will have
      the interface configuration statement "ip information-reply", which 
      can be seen by issuing the command "show running-config" as shown 
      in the following examples:
      
          router#show running-config | include information-reply
            ip information-reply
      
      or
      
          router#show running-config 
          
          interface FastEthernet0/0 
            ip address 192.0.2.1 255.255.255.0 
            ip information-reply
      
      By default, devices running all other Cisco IOS versions will process
      ICMP information request (Type 15) packets. This behavior cannot be
      modified. Since this is the default behavior, "ip information-reply"
      will not be visible in the device's configuration.
      
      By default, devices running all Cisco IOS XR versions will NOT
      process ICMP information request (Type 15) packets. This behavior
      cannot be modified.
      
      ICMP Type 17
      +-----------
      
      Beginning in Cisco IOS version 10.0, by default devices will NOT
      process ICMP address mask request (Type 17) packets. A router that
      has been modified to process ICMP address mask request packets will
      have the interface configuration statement "ip mask-reply", which 
      can be seen by issuing the command "show running-config" as shown 
      in the following examples:
      
          router#show running-config | include mask-reply
           ip mask-reply
      
      or
      
          router#show running-config
          
          interface FastEthernet0/0
           ip address 192.0.2.1 255.255.255.0 
           ip mask-reply
      
      By default, devices running all Cisco IOS XR versions will NOT
      process ICMP address mask request (Type 17) packets. A router that
      has been modified to process ICMP address mask request packets will
      have the interface configuration statement "ipv4 mask-reply", which
      can be seen by issuing the command show running-config as shown in 
      the following examples:
      
          RP/0/RP0/CPU0:router#show running-config | include mask-reply
          Building configuration...
           ipv4 mask-reply
      
      or
      
          RP/0/RP0/CPU0:router#show running-config
          interface POS0/1/3/0 
           ipv4 address 192.0.2.1 255.255.255.252 
           ipv4 mask-reply
      
      Devices Configured for Protocol Independent Multicast Version 2
      (PIMv2)
      +--------------------------------------------------------------
      
      Cisco IOS
      +--------
      
      A router running Cisco IOS that is configured to process PIMv2
      packets will have an interface configuration statement that begins
      with "ip pim", which can be seen by issuing the command "show
      running-config" as shown in the following examples:
      
          router#show running-config | include ip pim
           ip pim sparse-mode
      
      or
      
          router#show running-config
          
          interface FastEthernet0/0
           ip address 192.0.2.1 255.255.255.0 
           ip pim sparse-dense-mode
      
      The command "show ip pim interface" can also be used to determine 
      if a router is configured to process PIMv2 packets, as shown in 
      the following example:
      
       router#show ip pim interface
       Address     Interface       Ver/    Nbr     Query  DR      DR
                                   Mode    Count   Intvl  Prior 
       192.0.2.1   FastEthernet0/0 v1/S    0       30     1       0.0.0.0
       192.168.1.1 FastEthernet1/0 v2/SD   0       30     1       0.0.0.0
      
      Interfaces running PIMv2 will show "v2/" under the Ver/Mode column.
      Interfaces without PIM configured will not be shown in the command
      output.
      
      PIMv2 is the default PIM version. Routers configured to process only
      PIMv1 messages are not vulnerable to the PIMv2 exploit. Routers that
      do not have PIM configured are not vulnerable to the PIMv2 exploit.
      PIM is not enabled by default.
      
      Additional information about PIM is available at 
      http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca794.html
      
      Cisco IOS XR
      +-----------
      
      The command show pim interface can be used to determine if a router
      running Cisco IOS XR is configured to process PIMv2 packets, as shown
      in the following example:
      
      RP/0/0/CPU0:router#show pim interface 
      Address      Interface           PIM  Nbr   Hello  DR    DR
                                            Count Intvl  Prior
      192.168.1.1  Loopback0           on   1     30     1     this system
      192.168.2.1  MgmtEth0/0/CPU0/0   off  0     30     1     not elected
      192.168.3.1  Loopback1           on   1     30     1     this system
      192.168.4.1  Loopback3           on   1     30     1     this system
      192.168.5.1  POS0/4/0/0          on   1     30     1     this system
      192.0.2.1    POS0/4/0/1          on   1     30     1     this system
      
      Interfaces running PIMv2 will show on under the PIM column.
      Interfaces without PIM configured will show "off" under the PIM
      column.
      
      Cisco IOS XR does not support PIMv1. PIM is not enabled by default on
      Cisco IOS XR.
      
      Additional information about PIM on Cisco IOS XR is available at 
      http://www.cisco.com/en/US/products/ps5845/products_configuration_guide_chapter09186a008069a8a2.html
      
      Devices Configured for Pragmatic General Multicast (PGM)
      +-------------------------------------------------------
      
      A router that is configured to process PGM packets will have the
      interface configuration statement "ip pgm router", which can be 
      seen by issuing the command "show running-config" as shown in 
      the following examples:
      
          router#show running-config | include ip pgm
           ip pgm router
      
      or
      
          router#show running-config
          
           interface FastEthernet1/0
            ip address 192.0.2.1 255.255.255.0 
            ip pim sparse-dense-mode 
            ip pgm router
      
      or
      
          router#show running-config
          
          interface FastEthernet1/0 
           ip address 192.0.2.1 255.255.255.0 
           ip pgm router
      
      Routers that do not have PGM configured are not vulnerable to the PGM
      exploit. PGM is not enabled by default.
      
      Additional information about PGM is available at 
      http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca798.html
      
      Cisco IOS XR does not support PGM and is not affected by PGM packets
      that exploit this vulnerability.
      
      Devices Configured for URL Rendezvous Directory (URD)
      +----------------------------------------------------
      
      A router that is configured to process URD packets will have the
      interface configuration statement "ip urd" or "ip urd proxy", 
      which can be seen by issuing the command "show running-config"
      as shown in the following examples:
      
          router#show running-config | include ip urd
           ip urd
      
      or
      
          router#show running-config | include ip urd
           ip urd proxy
      
      or
      
          router#show running-config
          
           interface FastEthernet1/0
            ip address 192.0.2.1 255.255.255.0 
            ip pim sparse-mode 
            ip urd
      
      or
      
          router#show running-config
          
           interface FastEthernet1/0
            ip address 192.0.2.1 255.255.255.0 
            ip pim sparse-dense-mode 
            ip urd proxy
      
      or
      
          router#show running-config
          
          interface FastEthernet1/0 
           ip address 192.0.2.1 255.255.255.0 
           ip urd
      
      Routers that do not have URD configured are not vulnerable to the URD
      exploit. URD is not enabled by default.
      
      Additional information about URD is available at 
      http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca795.html
      
      Cisco IOS XR does not support URD and is not affected by URD packets
      that exploit this vulnerability.
      
      Vulnerability Scoring Details
      =============================
      
      Cisco is providing scores for the vulnerabilities in this advisory
      based on the Common Vulnerability Scoring System (CVSS). Cisco will
      provide a base and temporal score. Customers can then compute
      environmental scores to assist in determining the impact of the
      vulnerability in individual networks.
      
      Cisco PSIRT will set the bias in all cases to normal. Customers are
      encouraged to apply the bias parameter when determining the
      environmental impact of a particular vulnerability.
      
      CVSS is a standards-based scoring method that conveys vulnerability
      severity and helps determine urgency and priority of response.
      
      Cisco has provided an FAQ to answer additional questions regarding
      CVSS at
      http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
      
      Cisco has also provided a CVSS calculator to help compute the
      environmental impact for individual networks at 
      http://intellishield.cisco.com/security/alertmanager/cvss
      
      
      CSCec71950 - Crafted IP Option may cause DoS or code execution  
      CVSS Base Score: 10
      - - Access Vector: Remote
      - - Access Complexity: Low
      - - Authentication: Not Required
      - - Confidentiality Impact: Complete
      - - Integrity Impact: Complete
      - - Availability Impact: Complete
      - - Impact Bias: Normal
      
      CVSS Temporal Score: 8.3
      - - Exploitability: Functional
      - - Remediation Level: Official Fix
      - - Report Confidence: Confirmed
      
      
      CSCeh52410 - Crafted IP Option may cause ipv4-io DoS or code 
                   execution
      CVSS Base Score: 10
      - - Access Vector: Remote
      - - Access Complexity: Low
      - - Authentication: Not Required
      - - Confidentiality Impact: Complete
      - - Integrity Impact: Complete
      - - Availability Impact: Complete
      - - Impact Bias: Normal
      
      CVSS Temporal Score: 8.3
      - - Exploitability: Functional
      - - Remediation Level: Official Fix
      - - Report Confidence: Confirmed
      
      
      Impact
      ======
      
      Cisco IOS
      +--------
      
      Successful exploitation of the vulnerability on Cisco IOS may result
      in a reload of the device or execution of arbitrary code. Repeated
      exploitation could result in a sustained DoS attack.
      
      Cisco IOS XR
      +-----------
      
      Successful exploitation of the vulnerability on Cisco IOS XR may
      result in the ipv4_io process restarting or execution of arbitrary
      code. Repeated exploitation could result in a CRS-1 Node or XR 12000
      Line Card reload and sustained DoS attack.
      
      Software Version and Fixes
      ==========================
      
      When considering software upgrades, also consult 
      http://www.cisco.com/go/psirt and any subsequent advisories to 
      determine exposure and a complete upgrade solution.
      
      In all cases, customers should exercise caution to be certain the
      devices to be upgraded contain sufficient memory and that current
      hardware and software configurations will continue to be supported
      properly by the new release. If the information is not clear, contact
      the Cisco Technical Assistance Center ("TAC") or your contracted
      maintenance provider for assistance.
      
      Each row of the Cisco IOS software table (below) describes a release
      train and the platforms or products for which it is intended. If a
      given release train is vulnerable, then the earliest possible
      releases that contain the fix (the "First Fixed Release") and the
      anticipated date of availability for each are listed in the "Rebuild"
      and "Maintenance" columns. A device running a release in the given
      train that is earlier than the release in a specific column (less
      than the First Fixed Release) is known to be vulnerable. The release
      should be upgraded at least to the indicated release or a later
      version (greater than or equal to the First Fixed Release label).
      
      For more information on the terms "Rebuild" and "Maintenance,"
      consult the following URL: 
      http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml
      
      Note: There are three IOS security advisories and one field notice
      being published on January 24, 2007. Each advisory lists only the
      releases which fix the issue described in the advisory. A combined
      software table is available at 
      http://www.cisco.com/warp/public/707/cisco-sa-20070124-bundle.shtml 
      and can be used to choose a software release which fixes all 
      security vulnerabilities published as of January 24, 2007. Links 
      for the advisories and field notice are listed here.
      
        * http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml
        * http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
        * http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
        * http://www.cisco.com/warp/customer/770/fn62613.shtml
      
      Requests for software rebuilds to include the change for Daylight
      Savings Time (DST) that will be implemented in March 2007 should be
      directed through the Technical Assistance Center (TAC), and this
      advisory should be used as reference.
      
      +---------------------------------------+
      |   Major    | Availability of Repaired |
      |  Release   |         Releases         |
      |------------+--------------------------|
      | Affected   |            |             |
      | 12.0-Based | Rebuild    | Maintenance |
      | Release    |            |             |
      |------------+--------------------------|
      | 12.0       | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0DA     | Vulnerable; migrate to   |
      |            | 12.2(10)DA5 or later     |
      |------------+--------------------------|
      | 12.0DB     | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      | 12.0DC     | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      | 12.0S      | 12.0(27)S3 | 12.0(28)S   |
      |------------+--------------------------|
      | 12.0SC     | Vulnerable; migrate to   |
      |            | 12.3(9a)BC or later      |
      |------------+--------------------------|
      | 12.0SL     | Vulnerable; migrate to   |
      |            | 12.0(28)S or later       |
      |------------+--------------------------|
      | 12.0SP     | Vulnerable; migrate to   |
      |            | 12.0(28)S or later       |
      |------------+--------------------------|
      | 12.0ST     | Vulnerable; migrate to   |
      |            | 12.0(28)S or later       |
      |------------+--------------------------|
      | 12.0SX     | 12.0(25)   | 12.0(30)SX  |
      |            | SX11       |             |
      |------------+------------+-------------|
      | 12.0SY     |            | 12.0(27)SY  |
      |------------+------------+-------------|
      | 12.0SZ     |            | 12.0(30)SZ  |
      |------------+--------------------------|
      | 12.0T      | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      |            | 12.0(28)W5 |             |
      | 12.0W      | (32c);     |             |
      |            | available  |             |
      |            | 31-Jan-07  |             |
      |------------+------------+-------------|
      | 12.0WC     | 12.0(5)    |             |
      |            | WC15       |             |
      |------------+--------------------------|
      | 12.0WT     | Vulnerable; contact TAC  |
      |------------+--------------------------|
      | 12.0XA     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XB     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XC     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XD     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XE     | Vulnerable; migrate to   |
      |            | 12.1(23)E or later       |
      |------------+--------------------------|
      | 12.0XF     | Not vulnerable           |
      |------------+--------------------------|
      | 12.0XG     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XH     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XI     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XJ     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XK     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XL     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XM     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XN     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XQ     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XR     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XS     | Vulnerable; migrate to   |
      |            | 12.1(23)E or later       |
      |------------+--------------------------|
      | 12.0XV     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.0XW     | Vulnerable; migrate to   |
      |            | 12.0(5)WC15 or later     |
      |------------+--------------------------|
      | Affected   |            |             |
      | 12.1-Based | Rebuild    | Maintenance |
      | Release    |            |             |
      |------------+--------------------------|
      | 12.1       | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1AA     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      |            | Vulnerable; for          |
      |            | c3750-ME, migrate to     |
      | 12.1AX     | 12.2(25)EY or later. For |
      |            | c2970 and 3750, migrate  |
      |            | to 12.2(25)SE or later.  |
      |------------+--------------------------|
      | 12.1AY     | Vulnerable; migrate to   |
      |            | 12.1(22)EA8              |
      |------------+--------------------------|
      | 12.1AZ     | Vulnerable; migrate to   |
      |            | 12.1(22)EA8              |
      |------------+--------------------------|
      | 12.1CX     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1DA     | Vulnerable; migrate to   |
      |            | 12.2(10)DA5 or later     |
      |------------+--------------------------|
      | 12.1DB     | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      | 12.1DC     | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      | 12.1E      |            | 12.1(23)E   |
      |------------+------------+-------------|
      | 12.1EA     | 12.1(22)   |             |
      |            | EA8        |             |
      |------------+------------+-------------|
      | 12.1EB     |            | 12.1(23)EB  |
      |------------+--------------------------|
      | 12.1EC     | Vulnerable; migrate to   |
      |            | 12.3(9a)BC or later      |
      |------------+--------------------------|
      |            | 12.1(19)   |             |
      |            | EO6,       |             |
      |            | available  |             |
      | 12.1EO     | 31-Jan-07  |             |
      |            |------------+-------------|
      |            | 12.1(20)   |             |
      |            | EO3        |             |
      |------------+--------------------------|
      | 12.1EU     | Vulnerable; migrate to   |
      |            | 12.2(25)EWA or later     |
      |------------+--------------------------|
      | 12.1EV     | Vulnerable; migrate to   |
      |            | 12.2(26)SV1 or later     |
      |------------+--------------------------|
      | 12.1EW     | Vulnerable; migrate to   |
      |            | 12.2(18)EW3 or later     |
      |------------+--------------------------|
      | 12.1EX     | Vulnerable; migrate to   |
      |            | 12.1(23)E or later       |
      |------------+--------------------------|
      | 12.1EY     | Vulnerable; migrate to   |
      |            | 12.1(23)E or later       |
      |------------+--------------------------|
      | 12.1EZ     | Vulnerable; migrate to   |
      |            | 12.1(23)E or later       |
      |------------+--------------------------|
      | 12.1T      | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1XA     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1XB     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1XC     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1XD     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1XE     | Vulnerable; migrate to   |
      |            | 12.1(23)E or later       |
      |------------+--------------------------|
      | 12.1XF     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1XG     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1XH     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1XI     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1XJ     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1XL     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1XM     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1XP     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1XQ     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1XR     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1XS     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1XT     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1XU     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1XV     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1XW     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1XX     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1XY     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1XZ     | Vulnerable; migrate to   |
      |            | 12.2(37)or later         |
      |------------+--------------------------|
      | 12.1YA     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1YB     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1YC     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1YD     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1YE     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1YF     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1YH     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1YI     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.1YJ     | Vulnerable; migrate to   |
      |            | 12.1(22)EA8              |
      |------------+--------------------------|
      | Affected   |            |             |
      | 12.2-Based | Rebuild    | Maintenance |
      | Release    |            |             |
      |------------+------------+-------------|
      | 12.2       | 12.2(34a)  | 12.2(37)    |
      |------------+--------------------------|
      | 12.2B      | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      | 12.BC      | Vulnerable; migrate to   |
      |            | 12.3(9a)BC or later      |
      |------------+--------------------------|
      | 12.2BW     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2BY     | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      | 12.2BZ     | Vulnerable; migrate to   |
      |            | 12.3(7)XI8 or later      |
      |------------+--------------------------|
      | 12.2CX     | Vulnerable; migrate to   |
      |            | 12.3(9a)BC or later      |
      |------------+--------------------------|
      | 12.2CY     | Vulnerable; migrate to   |
      |            | 12.3(9a)BC or later      |
      |------------+--------------------------|
      | 12.2CZ     | Vulnerable; contact TAC  |
      |------------+--------------------------|
      |            | 12.2(10)   |             |
      |            | DA5        |             |
      |12.2DA      |------------+-------------|
      |            | 12.2(12)   |             |
      |            | DA10       |             |
      |------------+--------------------------|
      | 12.2DD     | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      | 12.2DX     | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      | 12.2EU     | Vulnerable; migrate to   |
      |            | 12.2(25)EWA5 or later    |
      |------------+--------------------------|
      |            | 12.2(18)   |             |
      |            | EW3        |             |
      |12.2EW      |------------+-------------|
      |            | 12.2(20)   | 12.2(25)EW  |
      |            | EW4        |             |
      |------------+------------+-------------|
      | 12.2EWA    | 12.2(20)   | 12.2(25)EWA |
      |            | EWA4       |             |
      |------------+------------+-------------|
      | 12.2EX     |            | 12.2(25)EX  |
      |------------+--------------------------|
      | 12.2EY     | All 12.2EY releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2EZ     | All 12.2EZ releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2FX     | All 12.2FX releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2FY     | All 12.2FY releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2FZ     | All 12.2FZ releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2IXA    | All 12.2IXA releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2IXB    | All 12.2IXB releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2IXC    | All 12.2IXC releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2JA     | Vulnerable; migrate to   |
      |            | 12.3(8)JA or later       |
      |------------+--------------------------|
      | 12.2JK     | Vulnerable; migrate to   |
      |            | 12.4(4)T or later        |
      |------------+--------------------------|
      | 12.2MB     | Vulnerable; migrate to   |
      |            | 12.2(25)SW1 or later     |
      |------------+--------------------------|
      | 12.2MC     | 12.2(15)MC2h             |
      |------------+--------------------------|
      | 12.2S      |            | 12.2(25)S   |
      |------------+------------+-------------|
      | 12.2SB     |            | 12.2(28)SB  |
      |------------+--------------------------|
      | 12.2SBC    | All 12.2SBC releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SE     |            | 12.2(25)SE  |
      |------------+--------------------------|
      | 12.2SEA    | All 12.2SEA releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SEB    | All 12.2SEB releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SEC    | All 12.2SEC releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SED    | All 12.2SED releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SEE    | All 12.2SEE releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SEF    | All 12.2SEF releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SEG    | All 12.2SEG releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SG     | All 12.2SG releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SGA    | All 12.2SGA releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SO     | 12.2(18)   |             |
      |            | SO7        |             |
      |------------+--------------------------|
      | 12.2SRA    | All 12.2SRA releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SRB    | All 12.2SRB releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SU     | Vulnerable; migrate to   |
      |            | 12.3(14)T or later       |
      |------------+--------------------------|
      | 12.2SV     |            | 12.2(23)SV  |
      |------------+------------+-------------|
      | 12.2SW     | 12.2(25)   |             |
      |            | SW1        |             |
      |------------+--------------------------|
      | 12.2SX     | Vulnerable; migrate to   |
      |            | 12.2(17d)SXB11a or later |
      |------------+--------------------------|
      | 12.2SXA    | Vulnerable; migrate to   |
      |            | 12.2(17d)SXB11a or later |
      |------------+--------------------------|
      | 12.2SXB    | 12.2(17d)  |             |
      |            | SXB11a     |             |
      |------------+------------+-------------|
      | 12.2SXD    | 12.2(18)   |             |
      |            | SXD7a      |             |
      |------------+--------------------------|
      | 12.2SXE    | All 12.2SXE releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SXF    | All 12.2SXF releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.2SY     | Vulnerable; migrate to   |
      |            | 12.2(17d)SXB11a or later |
      |------------+--------------------------|
      | 12.2SZ     | Vulnerable; migrate to   |
      |            | 12.2(25)S or later       |
      |------------+--------------------------|
      | 12.2T      | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2TPC    | Vulnerable; contact TAC  |
      |------------+--------------------------|
      | 12.2XA     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XB     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XC     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.2XD     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XE     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XF     | Vulnerable; migrate to   |
      |            | 12.3(9a)BC or later      |
      |------------+--------------------------|
      | 12.2XG     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XH     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XI     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XJ     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XK     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XL     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XM     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XN     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XQ     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XR     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XS     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XT     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XU     | Vulnerable; migrate to   |
      |            | 12.3(12) or later        |
      |------------+--------------------------|
      | 12.2XV     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2XW     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2YA     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2YB     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2YC     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2YD     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.2YE     | Vulnerable; migrate to   |
      |            | 12.2(25)S or later       |
      |------------+--------------------------|
      | 12.2YF     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2YG     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2YH     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2YJ     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2YK     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.2YL     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.2YM     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.2YN     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.2YO     | Not vulnerable           |
      |------------+--------------------------|
      | 12.2YP     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2YQ     | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      | 12.2YR     | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      | 12.2YS     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.2YT     | Vulnerable; migrate to   |
      |            | 12.3(8) or later         |
      |------------+--------------------------|
      | 12.2YU     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.2YV     | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      | 12.2YW     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.2YX     | Vulnerable; migrate to   |
      |            | 12.3(14)T or later       |
      |------------+--------------------------|
      | 12.2YY     | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      | 12.2YZ     | Vulnerable; migrate to   |
      |            | 12.2(25)S or later       |
      |------------+--------------------------|
      | 12.2ZA     | Vulnerable; migrate to   |
      |            | 12.2(17d)SXBa or later   |
      |------------+--------------------------|
      | 12.2ZB     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.2ZC     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.2ZD     | Vulnerable; contact TAC  |
      |------------+--------------------------|
      | 12.2ZE     | Vulnerable; migrate to   |
      |            | 12.3(8) or laer          |
      |------------+--------------------------|
      | 12.2ZF     | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      |            | Vulnerable; for SOHO9x,  |
      | 12.2ZG     | migrate to 12.3(8)YG2 or |
      |            | later. For c83x, migrate |
      |            | to 12.3(2)XA3 or later   |
      |------------+--------------------------|
      | 12.2ZH     | Vulnerable; contact TAC  |
      |------------+--------------------------|
      | 12.2ZJ     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.2ZL     | Vulnerable; contact TAC  |
      |------------+--------------------------|
      | 12.2ZN     | Vulnerable; migrate to   |
      |            | 12.3(4)T13 or later      |
      |------------+--------------------------|
      | 12.2ZP     | Vulnerable; migrate to   |
      |            | 12.3(8)XY or later       |
      |------------+--------------------------|
      | Affected   |            |             |
      | 12.3-Based | Rebuild    | Maintenance |
      | Release    |            |             |
      |------------+------------+-------------|
      | 12.3       |            | 12.3(8)     |
      |------------+--------------------------|
      | 12.3B      | Vulnerable; migrate to   |
      |            | 12.3(8)T7 or later       |
      |------------+--------------------------|
      | 12.3BC     |            | 12.3(9a)BC  |
      |------------+--------------------------|
      | 12.3BW     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.3JA     |            | 12.3(8)JA   |
      |------------+--------------------------|
      | 12.3JEA    | All 12.3JEA releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3JEB    | All 12.3JEA releases are |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3JK     | 12.3(2)JK2 | 12.3(8)JK   |
      |------------+------------+-------------|
      | 12.3JX     | 12.3(7)JX6 | 12.3(11)JX  |
      |------------+------------+-------------|
      | 12.3T      | 12.3(4)T13 | 12.3(8)T    |
      |------------+------------+-------------|
      | 12.3TPC    | 12.3(4)    |             |
      |            | TPC11b     |             |
      |------------+------------+-------------|
      | 12.3XA     | 12.3(2)XA6 |             |
      |------------+--------------------------|
      | 12.3XB     | Vulnerable; migrate to   |
      |            | 12.3(8)T or later        |
      |------------+--------------------------|
      | 12.3XC     | Vulnerable; contact TAC  |
      |------------+--------------------------|
      | 12.3XD     | Vulnerable; migrate to   |
      |            | 12.3(8)T7 or later       |
      |------------+--------------------------|
      | 12.3XE     | Vulnerable; contact TAC  |
      |------------+--------------------------|
      | 12.3XF     | Vulnerable; migrate to   |
      |            | 12.3(11)T or later       |
      |------------+--------------------------|
      | 12.3XG     | Vulnerable; contact TAC  |
      |------------+--------------------------|
      | 12.3XH     | Vulnerable; migrate to   |
      |            | 12.3(11)T or later       |
      |------------+--------------------------|
      | 12.3XI     | 12.3(7)XI8 |             |
      |------------+--------------------------|
      | 12.3XJ     | Vulnerable; migrate to   |
      |            | 12.3(8)XW or later       |
      |------------+--------------------------|
      | 12.3XK     | Vulnerable; migrate to   |
      |            | 12.3(14)T or later       |
      |------------+--------------------------|
      | 12.3XQ     | Vulnerable; migrate to   |
      |            | 12.4(1) or later         |
      |------------+--------------------------|
      | 12.3XR     | All 12.3XR releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3XS     | All 12.3XS releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3XU     | All 12.3XU releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3XW     | All 12.3XW releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3XX     | All 12.3XX releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3XY     | All 12.3XR releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YA     | All 12.3YA releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YD     | All 12.3YD releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YF     | All 12.3YF releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YG     | All 12.3YG releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YH     | All 12.3YH releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YI     | All 12.3YI releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YJ     | All 12.3YJ releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YK     | All 12.3YK releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YM     | All 12.3YM releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YQ     | All 12.3YQ releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YS     | All 12.3YS releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YT     | All 12.3YT releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YU     | All 12.3YU releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YX     | All 12.3YX releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | 12.3YZ     | All 12.3YZ releases are  |
      |            | fixed                    |
      |------------+--------------------------|
      | Affected   |            |             |
      | 12.4-Based | Rebuild    | Maintenance |
      | Release    |            |             |
      |---------------------------------------|
      | All 12.4 releases are fixed           |
      +---------------------------------------+
      
      +---------------------------------------+
      | Cisco IOS XR Version        | SMU ID  |
      |-----------------------------+---------|
      | 3.2.2 for CRS-1             | AA01482 |
      |-----------------------------+---------|
      | 3.2.3 for CRS-1             | AA01483 |
      |-----------------------------+---------|
      | 3.2.4 for CRS-1             | AA01484 |
      |-----------------------------+---------|
      | 3.2.6 for CRS-1             | AA01727 |
      |-----------------------------+---------|
      | 3.3.x for CRS-1 and XR12000 | Fixed   |
      |-----------------------------+---------|
      | 3.4.x for CRS-1 and XR12000 | Fixed   |
      +---------------------------------------+
      
      Workarounds
      ===========
      
      Additional mitigations that can be deployed on Cisco devices within
      the network are available in the Cisco Applied Intelligence companion
      document for this advisory:
      
      http://www.cisco.com/warp/public/707/cisco-air-20070124-crafted-ip-option.shtml
      
      IP Options Selective Drop
      +------------------------
      
      The IP Options Selective Drop feature allows Cisco routers to
      mitigate the effects of IP options by dropping packets containing
      them or by not processing (ignoring) IP options in a packet.
      
      The most effective workaround is using the "drop" option of this
      global configuration command: "ip options drop". This command 
      will drop all IP packets containing IP options that are both 
      destined to the router itself or transiting through the router 
      before they are processed, preventing exploitation locally and 
      downstream.
      
      The IP Options Selective Drop feature is available beginning in Cisco
      IOS software version 12.0(23)S for 12000, 12.0(32)S for 10720, and
      12.3(4)T, 12.2(25)S, and 12.2(27)SBC for other hardware platforms.
      
      Please note that deploying this command will drop legitimate packets
      containing IP options as well. Protocols this may impact include RSVP
      (used by Microsoft NetMeeting), MPLS TE, MPLS OAM, DVMRP, IGMPv3,
      IGMPv2, and legitimate PGM.
      
      Note: The "ignore" option of the global command "ip options ignore",
      available only on the Cisco 12000 router beginning in 12.0(23)S, is
      NOT a workaround for this issue.
      
      Additional information about IP Options Selective Drop feature is
      available at 
      http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00801d4a94.html
      
      Transit Access Control Lists (ACLs)
      +----------------------------------
      
      Configure an interface ACL that blocks traffic of these types:
      
        * Echo (Ping) ICMP type 8
        * Timestamp ICMP type 13
        * Information Request ICMP type 15
        * Address Mask Request ICMP Type 17
        * Protocol Independent Multicast (PIM) IP protocol 103
        * Pragmatic General Multicast (PGM) IP protocol 113
        * URL Rendezvous Directory (URD) TCP port 465
      
      The Internet Control Message Protocol is an integral part of the
      Transmission Control Protocol/Internet Protocol (TCP/IP) protocol
      suite that is used to report error conditions and provide diagnostic
      information. Filtering ICMP messages may impact this error condition
      and diagnostic reporting including "ping" and Windows traceroute
      which uses ICMP ping.
      
      If the device is configured to process PIM, PGM, or URD, blocking
      those packets will prevent legitimate operation of the protocols.
      
      Since the source IP address of these packets can be easily spoofed,
      the affected traffic should be blocked on all of the device's IPv4
      interfaces.
      
      The following ACL is specifically designed to block attack traffic
      and should be applied to all IPv4 interfaces of the device and should
      include topology-specific filters:
      
          access-list 150 deny   icmp any any echo
          access-list 150 deny   icmp any any information-request
          access-list 150 deny   icmp any any timestamp-request
          access-list 150 deny   icmp any any mask-request
          access-list 150 deny   tcp any any eq 465 
          access-list 150 deny   103 any any
          access-list 150 deny   113 any any
          access-list 150 permit ip any any
          
          interface serial 2/0 
           ip access-group 150 in
      
      These ACL statements should be deployed at the network edge as part
      of a transit access list which will protect the router where the ACL
      is configured as well as other devices behind it. Further information
      about transit ACLs is available in the white paper "Transit Access
      Control Lists: Filtering at Your Edge", available at 
      http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
      
      The following Cisco IOS XR ACL is specifically designed to block
      attack traffic and should be applied to all IPv4 interfaces of the
      device and should include topology-specific filters:
      
          ipv4 access-list ios-xr-transit-acl
           10 deny   icmp any any echo
           20 deny   icmp any any information-request
           30 deny   icmp any any timestamp-request
           40 deny   icmp any any mask-request
           50 deny   tcp any any eq 465 
           60 deny   103 any any
           70 deny   113 any any
           80 permit ip any any
          
          interface POS 0/2/0/
            ipv4 access-group ios-xr-transit-acl ingress
      
      Information about configuring access lists on Cisco IOS XR is
      available at 
      http://www.cisco.com/en/US/products/ps5763/products_command_reference_chapter09186a00803e01ae.html
      
      Infrastructure ACLs
      +------------------
      
      Although it is often difficult to block traffic transiting your
      network, it is possible to identify traffic which should never be
      allowed to target your infrastructure devices and block that traffic
      at the border of your network. Infrastructure ACLs are considered a
      network security best practice and should be considered as a
      long-term addition to good network security as well as a workaround
      for this specific vulnerability. The ACL example shown below should
      be included as part of the deployed infrastructure access list which
      will protect all devices with IP addresses in the infrastructure IP
      address range.
      
      Cisco IOS
      +--------
      
          access-list 150 deny   icmp any INFRASTRUCTURE_ADDRESSES echo
          access-list 150 deny   icmp any INFRASTRUCTURE_ADDRESSES information-request
          access-list 150 deny   icmp any INFRASTRUCTURE_ADDRESSES timestamp-request
          access-list 150 deny   icmp any INFRASTRUCTURE_ADDRESSES mask-request
          access-list 150 deny   tcp any INFRASTRUCTURE_ADDRESSES  eq 465 
          access-list 150 deny   103 any INFRASTRUCTURE_ADDRESSES 
          access-list 150 deny   113 any INFRASTRUCTURE_ADDRESSES 
          access-list 150 permit ip any any
          
          interface serial 2/0
           ip access-group 150 in
      
      Cisco IOS XR
      +-----------
      
          ipv4 access-list ios-xr-infrastructure-acl
           10 deny   icmp any INFRASTRUCTURE_ADDRESSES  echo
           20 deny   icmp any INFRASTRUCTURE_ADDRESSES  information-request
           30 deny   icmp any INFRASTRUCTURE_ADDRESSES  timestamp-request
           40 deny   icmp any INFRASTRUCTURE_ADDRESSES  mask-request
           50 deny   tcp any INFRASTRUCTURE_ADDRESSES  eq 465
           60 deny   103 any INFRASTRUCTURE_ADDRESSES 
           70 deny   113 any INFRASTRUCTURE_ADDRESSES 
           80 permit ip any any
          
          interface POS 0/2/0/2
            ipv4 access-group ios-xr-infrastructure-acl ingress
      
      The white paper entitled "Protecting Your Core: Infrastructure
      Protection Access Control Lists" presents guidelines and recommended
      deployment techniques for infrastructure protection access lists and
      is available at 
      http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
      
      Information about configuring access lists on Cisco IOS XR is
      available at 
      http://www.cisco.com/en/US/products/ps5763/products_command_reference_chapter09186a00803e01ae.html
      
      Receive ACLs
      +-----------
      
      For distributed platforms, receive ACLs may be an option starting in
      Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S
      for the 7500, and 12.0(31)S for the 10720. The receive ACL protects
      the device from harmful traffic before the traffic can impact the
      route processor. A receive ACL is designed to protect only the device
      on which it is configured. On the 12000, transit traffic is never
      affected by a receive ACL. Because of this, the destination IP
      address "any" used in the example ACL entries below only refer to the
      router's own physical or virtual IP addresses. On the 7500 and 10720,
      transit traffic with IP options set will be subject to the receive
      ACL and permitted or denied accordingly. Receive ACLs are considered
      a network security best practice and should be considered as a
      long-term addition to good network security as well as a workaround
      for this specific vulnerability.
      
      The white paper entitled "GSR: Receive Access Control Lists" will
      help you identify and allow legitimate traffic to your device and
      deny all unwanted packets and is available at 
      http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml
      
      The following receive path ACL is designed specifically to block this
      attack traffic:
      
          access-list 101 deny   icmp any any echo
          access-list 101 deny   icmp any any information-request
          access-list 101 deny   icmp any any timestamp-request
          access-list 101 deny   icmp any any mask-request
          access-list 101 deny   tcp any any eq 465 
          access-list 101 deny   103 any any
          access-list 101 deny   113 any any
          access-list 101 permit ip any any
          !
          ip receive access-list 101
      
      Control Plane Policing
      +---------------------
      
      The Control Plane Policing (CoPP) feature may be used to mitigate
      this vulnerability. In the following example, any packets that can
      exploit the vulnerability are denied while all other IP traffic is
      permitted. Because of the way routers process packets with IP
      options, CoPP will be applied to attack packets destined for the
      router itself and packets transiting through the router to other
      destination IP addresses. This applies to all platforms except the
      12000 where only attack packets destined for the router itself will
      be dropped.
      
          access-list 100 permit icmp any any echo
          access-list 100 permit icmp any any information-request
          access-list 100 permit icmp any any timestamp-request
          access-list 100 permit icmp any any mask-request
          access-list 100 permit tcp any any eq 465 
          access-list 100 permit 103 any any
          access-list 100 permit 113 any any
          access-list 100 deny   ip any any
          !
          class-map match-all drop-options-class
           match access-group 100
          !
          !
          policy-map drop-options-policy
           class drop-options-class
             drop
          !     
          control-plane
           service-policy input drop-options-policy
      
      Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains,
      the policy-map syntax is different:
      
          policy-map drop-options-policy
           class drop-options-class
           police 32000 1500 1500 conform-action drop exceed-action drop
      
      Because of the way routers process packets with IP options, CoPP will
      be applied to attack packets destined for the router itself and
      packets transiting through the router to other destination IP
      addresses. In the following example, only packets with IP options
      that can exploit the vulnerability and that are destined for the
      router or that transit through the router are denied while all other
      IP traffic is permitted.
      
          ip access-list extended drop-affected-options
           permit icmp any any echo option any-options
           permit icmp any any information-request option any-options
           permit icmp any any timestamp-request option any-options
           permit icmp any any mask-request option any-options
           permit pim any any option any-options
           permit 113 any any option any-options
           permit tcp any any eq 465 option any-options
           deny ip any any
          !
          class-map match-all drop-options-class
           match access-group name drop-affected-options
          !
          !
          policy-map drop-opt-policy
           class drop-options-class 
            drop
          !
          control-plane
           service-policy input drop-opt-policy
      
      Please note that in the 12.2S Cisco IOS train, the policy-map syntax
      is different:
      
          policy-map drop-opt-policy
           class drop-options-class
            police 32000 1500 1500 conform-action drop exceed-action drop
      
      CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S,
      12.3T, 12.4, and 12.4T.
      
      ACL support for filtering IP options requires named ACLs. ACL support
      for filtering IP options is not available in 12.0S or 12.2SX.
      
      Please note that PGM packets typically use the "Router Alert" Option,
      and dropping PGM packets with IP options will affect legitimate PGM
      packets.
      
      In the above CoPP examples, the ACL entries that match the exploit
      packets with the "permit" action result in these packets being
      discarded by the policy-map drop function, while packets that match
      the "deny" action are not affected by the policy-map drop function.
      
      Additional information on the configuration and use of the CoPP
      feature can be found at 
      http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml 
      and 
      http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html
      
      Additional information for filtering IP Options with access lists can
      be found at 
      http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d4a7d.html
      
      Obtaining Fixed Software
      ========================
      
      Cisco will make free software available to address this vulnerability
      for affected customers. This advisory will be updated as fixed
      software becomes available. Prior to deploying software, customers
      should consult their maintenance provider or check the software for
      feature set compatibility and known issues specific to their
      environment.
      
      Customers may only install and expect support for the feature sets
      they have purchased. By installing, downloading, accessing or
      otherwise using such software upgrades, customers agree to be bound
      by the terms of Cisco's software license terms found at 
      http://www.cisco.com/public/sw-license-agreement.html, or as 
      otherwise set forth at Cisco.com Downloads at 
      http://www.cisco.com/public/sw-center/sw-usingswc.shtml
      
      Do not contact either "psirt at cisco dot com" or "security-alert at cisco dot com"
      for software upgrades.
      
      Customers with Service Contracts
      +-------------------------------
      
      Customers with contracts should obtain upgraded software through
      their regular update channels. For most customers, this means that
      upgrades should be obtained through the Software Center on Cisco's
      worldwide website at http://www.cisco.com
      
      Customers using Third Party Support Organizations
      +------------------------------------------------
      
      Customers whose Cisco products are provided or maintained through
      prior or existing agreement with third-party support organizations
      such as Cisco Partners, authorized resellers, or service providers
      should contact that support organization for guidance and assistance
      with the appropriate course of action in regards to this advisory.
      
      The effectiveness of any workaround or fix is dependent on specific
      customer situations such as product mix, network topology, traffic
      behavior, and organizational mission. Due to the variety of affected
      products and releases, customers should consult with their service
      provider or support organization to ensure any applied workaround or
      fix is the most appropriate for use in the intended network before it
      is deployed.
      
      Customers without Service Contracts
      +----------------------------------
      
      Customers who purchase direct from Cisco but who do not hold a Cisco
      service contract and customers who purchase through third-party
      vendors but are unsuccessful at obtaining fixed software through
      their point of sale should get their upgrades by contacting the Cisco
      Technical Assistance Center (TAC). TAC contacts are as follows.
      
        * +1 800 553 2447 (toll free from within North America)
        * +1 408 526 7209 (toll call from anywhere in the world)
        * e-mail: tac at cisco dot com
      
      Have your product serial number available and give the URL of this
      notice as evidence of your entitlement to a free upgrade. Free
      upgrades for non-contract customers must be requested through the
      TAC.
      
      Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
      for additional TAC contact information, including special localized
      telephone numbers and instructions and e-mail addresses for use in
      various languages.
      
      Exploitation and Public Announcements
      =====================================
      
      The Cisco PSIRT is not aware of any public announcements or malicious
      use of the vulnerability described in this advisory. This
      vulnerability was discovered during internal testing.
      
      Status of this Notice: FINAL
      ============================
      
      THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
      KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
      MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
      INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
      AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
      DOCUMENT AT ANY TIME.
      
      A stand-alone copy or Paraphrase of the text of this document that
      omits the distribution URL in the following section is an
      uncontrolled copy, and may lack important information or contain
      factual errors.
      
      Distribution
      ============
      
      This advisory is posted on Cisco's worldwide website at:
      
      http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
      
      In addition to worldwide web posting, a text version of this notice
      is clear-signed with the Cisco PSIRT PGP key and is posted to the
      following e-mail and Usenet news recipients.
      
        * cust-security-announce at cisco dot com
        * first-teams at first dot org
        * bugtraq at securityfocus dot com
        * vulnwatch at vulnwatch dot org
        * cisco at spot dot colorado dot edu
        * cisco-nsp at puck dot nether dot net
        * full-disclosure at lists.grok dot org dot uk
        * comp.dcom.sys.cisco at newsgate dot cisco dot com
      
      Future updates of this advisory, if any, will be placed on Cisco's
      worldwide website, but may or may not be actively announced on
      mailing lists or newsgroups. Users concerned about this problem are
      encouraged to check the above URL for any updates.
      
      Revision History
      ================
      +---------------------------------------+
      | Revision |             | Initial      |
      | 1.0      | 2007-Jan-24 | public       |
      |          |             | release.     |
      +---------------------------------------+
      
      Cisco Security Procedures
      =========================
      
      Complete information on reporting security vulnerabilities in Cisco
      products, obtaining assistance with security incidents, and
      registering to receive security information from Cisco, is available
      on Cisco's worldwide website at 
      http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
      This includes instructions for press inquiries regarding Cisco 
      security notices. All Cisco security advisories are available at 
      http://www.cisco.com/go/psirt
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.4.5 (SunOS)
      
      iD8DBQFFt5cO8NUAbBmDaxQRAs6NAJsEXc4RCzhHI1n+Dxjmizm6mzIzmACbBr3H
      /ox3OGmd1I41UMn3iOM8qHc=
      =RlTo
      -----END PGP SIGNATURE-----