Cisco IOS Crafted IPv6 Packet Remote Code Execution

2005-07-27T05:26:13
ID OSVDB:18332
Type osvdb
Reporter Michael Lynn(abaddon@io.com)
Modified 2005-07-27T05:26:13

Description

Vulnerability Description

Cisco IOS contains a flaw that may allow a malicious user to cause denial of service conditions or execute arbitrary code. The issue is triggered when a crafted IPv6 packet is sent to a router running a vulnerable version of IPv6 code. It is possible that the flaw may allow a denial of service or the execution of arbitrary code, resulting in a loss of integrity, and/or availability.

Technical Description

Exploit code for the above vulnerability was demonstrated at Black Hat 2005. The exploit code, which was not released, shoveled a reverse shell with full enable access to a listening console on the attacking machine. While the attack must come from a directly connected subnet, this is still a remote attack.

Solution Description

Upgrade to the version appropriate for your installation, as outlined in the vulnerable version matrix provided by Cisco. It is also possible to correct the flaw by implementing the following workaround(s): Disable support for IPv6. IPv6 support is enabled on most versions of IOS by default. To disable IPv6 on a router which supports it, the "no ipv6 enable" and "no ipv6 address" commands must be given within the configuration of each interface on the router.

Short Description

Cisco IOS contains a flaw that may allow a malicious user to cause denial of service conditions or execute arbitrary code. The issue is triggered when a crafted IPv6 packet is sent to a router running a vulnerable version of IPv6 code. It is possible that the flaw may allow a denial of service or the execution of arbitrary code, resulting in a loss of integrity, and/or availability.

References:

Vendor Specific Advisory URL Security Tracker: 1014598 Secunia Advisory ID:16272 Other Advisory URL: http://xforce.iss.net/xforce/alerts/id/201 Other Advisory URL: http://www.irmplc.com/index.php/69-Whitepapers News Article: http://blog.washingtonpost.com/securityfix/2005/07/black_hat_day_1_update_on_cisc.html News Article: http://www.news.com/2100-1002_3-5812044.html News Article: http://www.wired.com/news/technology/0,1282,68435,00.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0567.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0558.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0508.html Keyword: ciscogate Keyword: cisco-gate Keyword: cisco gate Keyword: CSCef68324 Keyword: michael lynn ISS X-Force ID: 21591 CVE-2005-2451 CERT VU: 930892 CERT: TA05-210A