CERT Advisory CA-2003-17 Exploit available for for the Cisco IOS Interface

Type securityvulns
Reporter Securityvulns
Modified 2003-07-18T00:00:00



CERT Advisory CA-2003-17 Exploit available for for the Cisco IOS Interface Blocked Vulnerabilities

Original release date: July 18, 2003 Last revised: -- Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

 * All  Cisco  devices  running  Cisco IOS software and configured to
   process Internet Protocol version 4 (IPv4) packets


An exploit has been posted publicly for the vulnerability described in VU#411332, which was announced in


I. Description

      An exploit has been posted publicly for VU#411332. This exploit
      allows  an  attacker  to  interrupt  the  normal operation of a
      vulnerable  device. We believe it is likely that intruders will
      begin using this or other exploits to cause service outages.

      If  you  believe  you have been the victim of intruder activity
      related  to this vulnerability, we encourage you to report that
      activity  to  your local incident response team, if any, and to
      the  CERT  Coordination  Center. Relevant artifacts or activity
      can  be  sent to cert@cert.org with "CERT#24229" in the subject
      line.  If  you are not able to communicate via electronic mail,
      contact  CERT/CC by phone at the number listed at the bottom of
      this document.

      Many  large  service providers have already taken action or are
      in  the  midst  of  upgrading. However, if you have not already
      taken  action, we strongly encourage you to review the advisory
      provided  by  Cisco  and  take  action  in accordance with your
      site's  maintenance  and  change management procedures. Cisco's
      advisory can be found at


      The  CERT/CC  will  continue  to provide information about this
      vulnerability through VU#411332.

      Any  information  regarding  intruder  activity related to this
      vulnerability  will  be  posted to the CERT/CC Currect Activity
      page, available at


II. Impact

      By  sending specially crafted IPv4 packets to an interface on a
      vulnerable  device,  an  intruder  can cause the device to stop
      processing  packets  destined  to  that interface. Quoting from
      Cisco's advisory:

 A  device  receiving  these  specifically crafted IPv4 packets will
 force  the inbound interface to stop processing traffic. The device
 may  stop  processing  packets  destined  to  the router, including
 routing  protocol  packets  and  ARP  packets.  No  alarms  will be
 triggered, nor will the router reload to correct itself. This issue
 can  affect  all  Cisco  devices  running  Cisco IOS software. This
 vulnerability  may  be  exercised  repeatedly  resulting in loss of
 availability  until a workaround has been applied or the device has
 been upgraded to a fixed version of code.

III. Solution

Apply a patch from Cisco

      Upgrade as described in Cisco's Advisory.

Restrict access

      Until  a  patch  can  be  applied,  you  can mitigate the risks
      presented  by  this  vulnerability  by  judicious use of access
      control  lists  (ACLs). The correct use of ACLs depends on your
      network topology. Additionally, ACLs may degrade performance on
      some  systems.  We  recommend  reviewing  the  following before
      applying ACLs:

http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml#workarounds http://www.cisco.com/warp/public/707/racl.html http://www.cisco.com/warp/public/707/iacl.html __________

      The CERT Coordination Center thanks Cisco Systems for notifying
      us  about  this  problem  and  for helping us to construct this

      Authors: Shawn Hernan and Martin Lindner

      This document is available from:

CERT/CC Contact Information

    Email: cert@cert.org
            Phone: +1 412-268-7090 (24-hour hotline)
            Fax: +1 412-268-6989
            Postal address:
            CERT Coordination Center
            Software Engineering Institute
            Carnegie Mellon University
            Pittsburgh PA 15213-3890

      CERT/CC  personnel  answer the hotline 08:00-17:00 EST(GMT-5) /
      EDT(GMT-4)   Monday  through  Friday;  they  are  on  call  for
      emergencies  during  other  hours,  on  U.S.  holidays,  and on

Using encryption

      We  strongly  urge you to encrypt sensitive information sent by
      email. Our public PGP key is available from


      If you prefer to use DES, please call the CERT hotline for more

Getting security information

      CERT  publications and other security information are available
      from our web site


      To  subscribe  to  the  CERT  mailing  list  for advisories and
      bulletins,  send email to majordomo@cert.org. Please include in
      the body of your message
      subscribe cert-advisory

      *  "CERT"  and "CERT Coordination Center" are registered in the
      U.S. Patent and Trademark Office.

      Any  material  furnished  by Carnegie Mellon University and the
      Software  Engineering  Institute  is  furnished  on  an "as is"
      basis.  Carnegie  Mellon  University makes no warranties of any
      kind,  either  expressed or implied as to any matter including,
      but  not  limited  to,  warranty  of  fitness  for a particular
      purpose  or  merchantability,  exclusivity  or results obtained
      from  use  of the material. Carnegie Mellon University does not
      make  any  warranty  of  any  kind with respect to freedom from
      patent, trademark, or copyright infringement.

      Conditions for use, disclaimers, and sponsorship information

      Copyright 2003 Carnegie Mellon University.

      Revision History

July 18, 2003: Initial release

-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8

iQCVAwUBPxgDAGjtSoHZUTs5AQEY6AQA0hYldKCx/AR+SnYaZG5zJ6lHQp4zL9hs NasNnBnRLW/xqslHBfnjt73pl47cEbZwgVb6B+jjngWHKKRJ2HN8NDijDxkmFvWw QIOflS1neDMTbpuFwbT/KFBUMOR3eXYumlLCa8m2NbxCxt3aaBBZeXrOxGoUEp3L nIbMK+mHKxY= =0maj -----END PGP SIGNATURE-----