Smart questions
Smart answers
Smart people
Join Tek-Tips Forums
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

eyec (TechnicalUser) (OP)
11 Nov 04 19:34
Technical Cyber Security Alert TA04-316A
                    Cisco IOS Input Queue Vulnerability

   Original release date: November 11, 2004
   Last revised: --
   Source: US-CERT

Systems Affected

     * Cisco routers, switches, and line cards running vulnerable versions of IOS

       The following versions of IOS are known to be affected:

         * 12.2(18)EW
         * 12.2(18)EWA
         * 12.2(18)S
         * 12.2(18)SE
         * 12.2(18)SV
         * 12.2(18)SW
         * 12.2(14)SZ

Overview

   There is a vulnerability in the way Cisco IOS processes DHCP packets.  Exploitation of this vulnerability may lead to a denial of service.  The processing of DHCP packets is enabled by default.

I. Description

   The Dynamic Host Configuration Protocol (DHCP) provides a means for distributing configuration information to hosts on a TCP/IP network. The Cisco Internetwork Operating System (IOS) contains a vulnerability that allows malformed DHCP packets to cause an affected    device to stop processing incoming network traffic.

   Cisco routers, switches, and line cards provide support for processing DHCP packets. Cisco devices can act as a DHCP server, providing host configuration information to clients, or they can forward DHCP and BootP requests as a relay agent. The affected devices have the DHCP service enabled by default and will accept and process incoming DHCP packets. When a DHCP packet is received, it is placed into an input queue so it can be processed. Undeliverable DHCP packets may remain in the queue if malformed in a certain way. When the queue becomes full, the device will stop accepting all traffic on that interface, not just    DHCP traffic.

   The DHCP service is enabled by default in IOS. DHCP can only be disabled when the no service dhcp command is specified in the running configuration. Cisco notes the following in their advisory:

       "Cisco routers are configured to process and accept DHCP packets by default, therefore the command service dhcp does not appear in the running configuration display, and only the command for the disabled feature, no service dhcp, will appear in the running configuration display when the feature is disabled. The vulnerability is present, regardless if the DHCP server or relay agent configurations are present on an affected product. The only required configuration for this vulnerability        in affected versions is the lack of the no service dhcp  command."

   Cisco is tracking this issue as CSCee50294. US-CERT is tracking this issue as VU#630104.

II. Impact

   By sending a specially crafted DHCP packet to an affected device, a remote, unauthenticated attacker could cause the device to stop processing incoming network traffic. Repeated exploitation of this vulnerability could lead to a sustained denial-of-service condition.  In order to regain functionality, the device must be rebooted to clear the input queue on the interface.

III. Solution

Upgrade to fixed versions of IOS

   Cisco has published detailed information about upgrading affected Cisco IOS software to correct this vulnerability. System managers are encouraged to upgrade to one of the non-vulnerable releases. For additional information regarding availability of repaired releases, please refer to the "Software Versions and Fixes" section of the Cisco Security Advisory.

Workarounds

   Cisco recommends a number of workarounds. For a complete list of workarounds, see the Cisco Security Advisory.

Appendix A. References

     * Vulnerability Note VU#630104 -
       <http://www.kb.cert.org/vuls/id/630104>

     * Cisco Security Advisory: "Cisco IOS DHCP Blocked Interface Denial-of-Service" -
       <http://www.cisco.com/warp/public/707/cisco-sa-20041110-dhcp.shtml
       >
   _________________________________________________________________

   US-CERT thanks Cisco Systems for notifying us about this problem.
   _________________________________________________________________

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close