[apops] Cisco Security Advisory: Cisco ASR 9000 Series Routers Line Card

  • To: apops at apops dot net
  • Subject: [apops] Cisco Security Advisory: Cisco ASR 9000 Series Routers Line Card IP Version 4 Denial of Service Vulnerability
  • From: Cisco Systems Product Security Incident Response Team <psirt at cisco dot com>
  • Date: Wed, 20 Jul 2011 12:00:00 -0400
  • Cc: psirt at cisco dot com
  • Delivered-to: apops at mailman dot apnic dot net
  • List-archive: <http://mailman.apnic.net/mailing-lists/apops>
  • List-help: <mailto:apops-request@apops.net?subject=help>
  • List-id: Asia Pacific Operators Forum <apops.apops.net>
  • List-post: <mailto:apops@apops.net>
  • List-subscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=subscribe>
  • List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=unsubscribe>
  • Prevent-nondelivery-report:
  • Sender: nobody@cisco.com
    • Hash: SHA256
      
      
      Cisco Security Advisory: Cisco ASR 9000 Series Routers Line Card IP Version 4 Denial of Service Vulnerability
      
      Advisory ID: cisco-sa-20110720-asr9k
      
      Revision 1.0
      
      For Public Release 2011 July 20 1600 UTC (GMT)
      
      +---------------------------------------------------------------------
      
      Summary
      =======
      
      Cisco 9000 Series Aggregation Services Routers (ASR) running Cisco
      IOS XR Software version 4.1.0 contain a vulnerability that may cause
      a network processor in a line card to lock up while processing an IP
      version 4 (IPv4) packet. As a consequence of the network processor
      lockup, the line card that is processing the offending packet will
      automatically reload.
      
      Cisco has released a free software maintenance upgrade (SMU) to
      address this vulnerability.
      
      There are no workarounds for this vulnerability.
      
      This advisory is posted at:
      http://www.cisco.com/warp/public/707/cisco-sa-20110720-asr9k.shtml
      
      Affected Products
      =================
      
      Vulnerable Products
      +------------------
      
      This vulnerability affects the following Cisco ASR 9000 Series
      devices when they are running Cisco IOS XR Software version 4.1.0
      without the SMU asr9k-p-4.1.0.CSCtr26695.tar installed:
      
        * Cisco ASR 9006 router
        * Cisco ASR 9010 router
      
      To determine the software running on a Cisco ASR 9000 Series device,
      log in to the device and issue the show version brief command to
      display the system banner. The system banner confirms that the device
      is running Cisco IOS XR Software by displaying text similar to Cisco
      IOS XR Software. The software version is displayed after the text
      Cisco IOS XR Software.
      
      The following example identifies a Cisco ASR 9010 that is running
      Cisco IOS XR Software Release 4.1.0:
      
          RP/0/0/CPU0:Router#show version brief
          Fri Jul  8 18:54:39.222 CEST
      
          Cisco IOS XR Software, Version 4.1.0[Default]
          Copyright (c) 2011 by Cisco Systems, Inc.
      
      
          ROM: System Bootstrap, Version 1.05(20101118:025914) [ASR9K ROMMON],
      
          Router uptime is 9 weeks, 1 day, 5 hours, 53 minutes
          System image file is "bootflash:disk0/asr9k-os-mbi-4.1.0/mbiasr9k-rp.vm"
      
          cisco ASR9K Series (MPC8641D) processor with 4194304K bytes of memory.
          MPC8641D processor at 1333MHz, Revision 2.2
          ASR-9010-CHASSIS
      
          4 Management Ethernet
          8 WANPHY controller(s)
          8 TenGigE
          8 DWDM controller(s)
          40 GigabitEthernet
          4 SONET/SDH
          2 Packet over SONET/SDH
          1 MgmtMultilink
          219k bytes of non-volatile configuration memory.
          975M bytes of compact flash card.
          33994M bytes of hard disk.
          1605616k bytes of disk0: (Sector size 512 bytes).
          1605616k bytes of disk1: (Sector size 512 bytes).
      
      To determine which SMUs are active on the device, issue the show
      install active summary command. This command will return a list of
      all SMUs installed, as shown in the following example:
      
          RP/0/0/CPU0:Router#show install active summary
          Fri Jul  8 19:02:15.887 CEST
            Active Packages:
              disk0:asr9k-doc-p-4.1.0
              disk0:asr9k-mini-p-4.1.0
              disk0:asr9k-k9sec-p-4.1.0
              disk0:asr9k-video-p-4.1.0
      
      Note: The preceding output shows a device without the SMU
      asr9k-p-4.1.0.CSCtr26695.tar installed. Also note that Cisco IOS XR
      Software can include multiple SMUs and the output may differ from the
      preceding example.
      
      Products Confirmed Not Vulnerable
      +--------------------------------
      
      The following products are confirmed not vulnerable:
      
        * Cisco Carrier Routing System (CRS) running any version of Cisco IOS XR Software
        * Cisco XR 12000 Series Routers running any version of Cisco IOS XR Software
        * Cisco 12000 Series Routers running any version of Cisco IOS Software
        * Cisco IOS Software
        * Cisco IOS XE Software
        * Cisco NX-OS Software
        * Cisco ASR 1000 and 5000 Series routers running any version of software
        * Cisco ASR 9000 Series routers running any version of Cisco IOS XR Software other than 4.1.0
        * Cisco ASR 9000 Series routers running Cisco IOS XR Software 
          version 4.1.0 and with the SMU asr9k-p-4.1.0.CSCtr26695.tar installed
      
          To determine which SMUs are active on the device, issue the show
          install active summary command. This will return a list of all
          SMUs installed:
      
              RP/0/0/CPU0:Router#show install active summary
              Fri Jul  8 19:02:15.887 CEST
                Active Packages:
                  disk0:asr9k-p-4.1.0.CSCtr26695-1.0.0
                  disk0:asr9k-p-4.1.0.CSCto96804-1.0.0
                  disk0:asr9k-p-4.1.0.CSCto95435-1.0.0
                  disk0:asr9k-doc-p-4.1.0
                  disk0:asr9k-mini-p-4.1.0
                  disk0:asr9k-k9sec-p-4.1.0
                  disk0:asr9k-video-p-4.1.0
      
          Note: The preceding output shows a device with the SMU
          asr9k-p-4.1.0.CSCtr26695.tar installed (in bold). Also note that
          Cisco IOS XR Software can include multiple SMUs and the output
          may differ from the preceding example.
      
      Details
      =======
      
      Cisco ASR 9000 Series routers are designed to provide carrier-class
      reliability using the Cisco IOS XR Software modular operating system,
      offering service and application-level intelligence focused on
      optimized video delivery and mobile aggregation in Carrier Ethernet
      Services networks.
      
      Cisco IOS XR Software is a distributed operating system designed for
      continuous system operation combined with service flexibility and
      high performance.
      
      Cisco ASR 9000 Series devices running Cisco IOS XR Software version
      4.1.0 contain a vulnerability that may cause a network processor in a
      line card to lock up while processing an IPv4 packet. As a
      consequence of the network processor lockup, the line card that is
      processing the offending packet will automatically reload.
      
      This vulnerability can be triggered only by IPv4 packets. If only IP
      version 6 (IPv6) is in use, the device is not vulnerable.
      
      Both transit IPv4 packets and IPv4 packets directed to the device
      itself may trigger this vulnerability.
      
      One or both the following messages may appear in the system log:
      
        * PLATFORM-DIAGS-3-PUNT_FABRIC_DATA_PATH_FAILED
        * PLATFORM-DIAGS-0-LC_NP_LOOPBACK_FAILED
      
      This vulnerability is documented as CSCtr26695and has been assigned 
      Common Vulnerabilities and Exposures (CVE) ID CVE-2011-2549
      
      Vulnerability Scoring Details
      +----------------------------
      
      Cisco has provided scores for the vulnerability in this advisory
      based on the Common Vulnerability Scoring System (CVSS). The CVSS
      scoring in this Security Advisory is done in accordance with CVSS
      version 2.0.
      
      CVSS is a standards-based scoring method that conveys vulnerability
      severity and helps determine urgency and priority of response.
      
      Cisco has provided a base and temporal score. Customers can then
      compute environmental scores to assist in determining the impact of
      the vulnerability in individual networks.
      
      Cisco has provided an FAQ to answer additional questions regarding
      CVSS at:
      
      http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
      
      Cisco has also provided a CVSS calculator to help compute the
      environmental impact for individual networks at:
      
      http://intellishield.cisco.com/security/alertmanager/cvss
      
      * CSCtr26695 -  ASR9k:Line Card Issue with NP lockup
      
      CVSS Base Score - 7.8
          Access Vector -            Network
          Access Complexity -        Low
          Authentication -           None
          Confidentiality Impact -   None
          Integrity Impact -         None
          Availability Impact -      Complete
      
      CVSS Temporal Score - 6.8
          Exploitability -           Functional
          Remediation Level -        Official-Fix
          Report Confidence -        Confirmed
      
      Impact
      ======
      
      Successful exploitation of the vulnerability described in this
      advisory may cause the affected line card to reload. Repeated
      exploitation could result in a sustained denial of service (DoS)
      condition.
      
      Software Versions and Fixes
      ===========================
      
      When considering software upgrades, also consult http://www.cisco.com/go/psirt
      and any subsequent advisories to determine exposure and a complete 
      upgrade solution.
      
      In all cases, customers should exercise caution to be certain the
      devices to be upgraded contain sufficient memory and that current
      hardware and software configurations will continue to be supported
      properly by the new release. If the information is not clear, contact
      the Cisco Technical Assistance Center (TAC) or your contracted
      maintenance provider for assistance.
      
      Each row of the Cisco IOS XR Software table (below) names a Cisco IOS
      XR Software release train. If a given release train is vulnerable,
      then the earliest possible releases that contain the fix, if
      available at the time of Advisory, are listed in the "First Fixed
      Release" column of the table.
      
      +--------------------------------------------------------------------+
      |    Major    |          Availability of Repaired Releases           |
      |   Release   |                                                      |
      |-------------+------------------------------------------------------|
      |             | SMU ID  | SMU Name                     | First Fixed |
      |             |         |                              | Release     |
      |-------------+------------------------------------------------------|
      | 3.2.X       |                                                      |
      | through     | Not affected                                         |
      | 4.0.X       |                                                      |
      |-------------+------------------------------------------------------|
      | 4.1.0       | AA05118 | asr9k-p-4.1.0.CSCtr26695.tar | 4.1.1       |
      +--------------------------------------------------------------------+
      
      Note: At the time of this advisory, Release 4.1.1 is expected to be
      available on July 29, 2011.
      
      Workarounds
      ===========
      
      There are no workarounds for this vulnerability.
      
      Obtaining Fixed Software
      ========================
      
      Cisco has released free software updates that address these
      vulnerabilities. Prior to deploying software, customers should
      consult their maintenance provider or check the software for feature
      set compatibility and known issues specific to their environment.
      
      Customers may only install and expect support for the feature sets
      they have purchased. By installing, downloading, accessing or
      otherwise using such software upgrades, customers agree to be bound
      by the terms of Cisco's software license terms found at:
      http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
      Or as otherwise set forth at Cisco.com Downloads at:
      http://www.cisco.com/public/sw-center/sw-usingswc.shtml
      
      Do not contact psirt at cisco dot com or security-alert at cisco dot com for
      software upgrades.
      
      Customers with Service Contracts
      +-------------------------------
      
      Customers with contracts should obtain upgraded software through
      their regular update channels. For most customers, this means that
      upgrades should be obtained through the Software Center on Cisco's
      worldwide website at http://www.cisco.com.
      
      Customers using Third Party Support Organizations
      +------------------------------------------------
      
      Customers whose Cisco products are provided or maintained through
      prior or existing agreements with third-party support organizations,
      such as Cisco Partners, authorized resellers, or service providers
      should contact that support organization for guidance and assistance
      with the appropriate course of action in regards to this advisory.
      
      The effectiveness of any workaround or fix is dependent on specific
      customer situations, such as product mix, network topology, traffic
      behavior, and organizational mission. Due to the variety of affected
      products and releases, customers should consult with their service
      provider or support organization to ensure any applied workaround or
      fix is the most appropriate for use in the intended network before it
      is deployed.
      
      Customers without Service Contracts
      +----------------------------------
      
      Customers who purchase direct from Cisco but do not hold a Cisco
      service contract, and customers who purchase through third-party
      vendors but are unsuccessful in obtaining fixed software through
      their point of sale should acquire upgrades by contacting the Cisco
      Technical Assistance Center (TAC). TAC contacts are as follows.
      
        * +1 800 553 2447 (toll free from within North America)
        * +1 408 526 7209 (toll call from anywhere in the world)
        * e-mail: tac at cisco dot com
      
      Customers should have their product serial number available and be
      prepared to give the URL of this notice as evidence of entitlement to
      a free upgrade. Free upgrades for non-contract customers must be
      requested through the TAC.
      
      Refer to:
      http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
      For additional TAC contact information, including localized telephone
      numbers, and instructions and e-mail addresses for use in various languages.
      
      Exploitation and Public Announcements
      =====================================
      
      The Cisco PSIRT is not aware of any public announcements or malicious
      use of the vulnerability described in this advisory.
      
      This vulnerability was found during the resolution of multiple
      customer service requests.
      
      We would like to thank the Internet Measurement Group from the
      University of Washington for their help and support on
      troubleshooting this issue.
      
      Status of this Notice: FINAL
      ============================
      
      THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
      KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
      MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
      INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
      AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
      DOCUMENT AT ANY TIME.
      
      A stand-alone copy or Paraphrase of the text of this document that
      omits the distribution URL in the following section is an
      uncontrolled copy, and may lack important information or contain
      factual errors.
      
      Distribution
      ============
      
      This advisory is posted on Cisco's worldwide website at :
      
      http://www.cisco.com/warp/public/707/cisco-sa-20110720-asr9k.shtml
      
      In addition to worldwide web posting, a text version of this notice
      is clear-signed with the Cisco PSIRT PGP key and is posted to the
      following e-mail and Usenet news recipients.
      
        * cust-security-announce at cisco dot com
        * first-bulletins at lists dot first dot org
        * bugtraq at securityfocus dot com
        * vulnwatch at vulnwatch dot org
        * cisco at spot dot colorado dot edu
        * cisco-nsp at puck dot nether dot net
        * full-disclosure at lists.grok dot org dot uk
        * comp.dcom.sys.cisco at newsgate dot cisco dot com
      
      Future updates of this advisory, if any, will be placed on Cisco's
      worldwide website, but may or may not be actively announced on
      mailing lists or newsgroups. Users concerned about this problem are
      encouraged to check the above URL for any updates.
      
      Revision History
      ================
      
      +--------------------------------------------------------------------+
      | Revision 1.0     | 2011-July-20     | Initial public release       |
      +--------------------------------------------------------------------+
      
      Cisco Security Procedures
      =========================
      
      Complete information on reporting security vulnerabilities in Cisco
      products, obtaining assistance with security incidents, and
      registering to receive security information from Cisco, is available
      on Cisco's worldwide website at:
      http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
      This includes instructions for press inquiries regarding Cisco
      security notices. All Cisco security advisories are available
      at: http://www.cisco.com/go/psirt
      
      +--------------------------------------------------------------------
      Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
      +--------------------------------------------------------------------
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.4.9 (Darwin)
      
      iF4EAREIAAYFAk4m/30ACgkQQXnnBKKRMND3gAD/QU7mozUjiGpbzBoEtIYGi8uj
      Bhe/TfxZjzFA4tNYZAYA/RUP7WMFrhK9q8jWUrniWTwcbp1PAc90pyPZ2QwTkwFK
      =vnj1
      -----END PGP SIGNATURE-----