Cisco IOS Software TELNET Option Handling Vulnerability
Revision 1.0
For public release Thursday 2000/04/20 at 09:00 AM US/Eastern (UTC-0400).
A defect in multiple Cisco IOS software versions will cause a Cisco router
to reload unexpectedly when the router is tested for security
vulnerabilities by security scanning software programs. The defect can be
exploited repeatedly to produce a consistent denial of service (DoS) attack.
Customers using the affected Cisco IOS software releases are urged to
upgrade as soon as possible to later versions that are not vulnerable to
this defect. Vulnerable products and releases are listed in detail below.
The security scanner is testing for the presence of two specific
vulnerabilities that affect certain UNIX-based systems. The vulnerabilities
are unrelated to Cisco IOS software and Cisco IOS software is not directly
at risk from them. However, a side-effect of the tests exposes the defect
described in this security advisory, and the router will reload unexpectedly
as soon as it receives any subsequent traffic.
This defect is documented as Cisco Bug ID CSCdm70743.
The following Major Releases of Cisco IOS software are vulnerable to this
defect:
Cisco customers running Cisco IOS software versions 11.3, 11.3T, 11.2 or
lower, and 12.0(8) or 12.1 or higher are not affected. Details regarding
specific releases of Cisco IOS software and suggested upgrade paths are
provided below in the section "Software Versions and Fixes".
This vulnerability affects the following Cisco hardware products if they are
running affected software:
The SC3640 System Controller is a Cisco 3640 router customized to provide
local management of multiple access servers. The Cisco SC3640 binary image
contains the defect and thus is vulnerable if it is possible for the
attacker to telnet to the device. However, the original Cisco 3640 router
does not contain the defect and is not vulnerable to the denial of service
attack described in this notice.
No other Cisco products are affected by this vulnerability.
Software packages are available from various commercial and free sites that
perform automated remote tests for computer security vulnerabilities by
scanning computers on a network for known security flaws. Two security
vulnerabilities associated with several UNIX-based platforms are the subject
of two specific tests that have the same effect on vulnerable Cisco routers.
The scanning program is asserting the Telnet ENVIRON option, #36, before the
router indicates that it is willing to accept it, and this causes the router
to reload unexpectedly.
The described defect can be used to mount a consistent and repeatable denial
of service (DoS) attack on any vulnerable Cisco product, which may result in
violations of the availability aspects of a customer's security policy. This
defect by itself does not cause the disclosure of confidential information
nor allow unauthorized access.
For the affected Cisco IOS software Major Release version shown in the first
column of the table below, customers should upgrade to the known
invulnerable releases listed to the right in the same row. In general,
customers should upgrade to the release in the column furthest to the right
within the same row. For example, any customer running 12.0 "mainline"
(Major Release) should upgrade at least to 12.0(7.1), but preferably to
12.0(8).
Any release not specifically listed in the left-most column below is
unaffected by the vulnerability.
The projected release date is shown with the software release version number
for those releases that are not yet complete or available on CCO.*
An "interim release" is scheduled and contains numerous fixes and occasional
enhancements that carry forward into all later versions.** A "maintenance
release" is a regularly scheduled event that incorporates significant
enhancements and cumulative fixes; it may be the entry point for support of
noteworthy new technology in Cisco IOS software.
Unaffected Earlier Releases
11.3-based Releases
AS5800 support
12.0-based Releases
12.0 12.0 mainline 12.0(7.1) 12.0(8)
ISP support: 12.0(6.6)S 12.0(7)S
12.0S 7200, RSP, -------------------------------------------
GSR12000 12.0(7.1)S 12.0(8)S
12.0 new 12.0(6.5)T3
12.0T technology early --------------------- 12.0(7)T
deployment release 12.0(6.5)T4
12.0W 12.0 for Catalyst 12.0(6.5)W5(16.0.9) 12.0(6.5)W5(17),
8500 and LS1010 2000/04/18*
Short-life
release for
Short-life
release for
12.1-based Releases
** Interim releases are subjected to less internal testing and verification
than are regular releases, may have serious bugs, and should be installed
with great care.
*** 12.0(8)SC is not vulnerable to this defect, but due to other issues it
is no longer available on CCO as of the date of this notice. Upgrade instead
to 12.0(9)SC.
Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers. Customers with service contracts may upgrade to any
software version. Customers without contracts may upgrade only within a
single row of the table above, except that any available fixed software will
be provided to any customer who can use it and for whom the standard fixed
software is not yet available. Customers may install only the feature sets
they have purchased.
Note that not all fixed software may be available as of the release date of
this notice.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should
be obtained via the Software Center on Cisco's Worldwide Web site at
http://www.cisco.com/.
Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through
the TAC. Please do not contact either "[email protected]" or
"[email protected]" for software upgrades.
The vulnerability described in this notice can only be exploited if the
Telnet service is configured on the affected system and reachable from the
attacker's computer. The following recommendations provide an interactive
login capability without using the Telnet service, thus mitigating the
threat in lieu of a software upgrade while preserving remote access to the
router for administrative purposes:
The wide variety of customer configurations make it impossible to judge the
effectiveness and relative merits of these workarounds in lieu of a software
upgrade. Customers are cautioned to evaluate these recommendations carefully
with regard to their specific network configurations.
As of the date of this notice, Cisco knows of no publicity, discussion, nor
reports of malicious exploitation of this specific vulnerability applied
directly against a Cisco product.
The denial of service (DoS) aspect of this vulnerability was reported to
Cisco by several different customers who found it while conducting security
scans of their networks. The defect that causes this vulnerability,
documented in CSCdm70743, was discovered internally by a Cisco development
engineer.
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all of the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice. Please
make note of the posting details in the next section and periodically check
for changes.
This notice is posted at
http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml.
In addition to posting on the World-Wide Web, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail lists and Usenet newsgroups:
Future updates of this notice, if any, will be placed on Cisco's World-Wide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.
1.0 2000/04/20 Initial public release
All contents copyright © 1992–2000 Cisco Systems Inc. Important notices.