Technical Cyber Security Alert TA04-316A - There is a vulnerability in the way Cisco IOS processes DHCP packets. Exploitation of this vulnerability may lead to a denial of service. The processing of DHCP packets is enabled by default.
6d7e0df60be9abbc7bb549866d6dd8df85bbe76ad2cdc57356c933aab7f8eb8e
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA04-316A
Cisco IOS Input Queue Vulnerability
Original release date: November 11, 2004
Last revised: --
Source: US-CERT
Systems Affected
* Cisco routers, switches, and line cards running vulnerable
versions of IOS
The following versions of IOS are known to be affected:
* 12.2(18)EW
* 12.2(18)EWA
* 12.2(18)S
* 12.2(18)SE
* 12.2(18)SV
* 12.2(18)SW
* 12.2(14)SZ
Overview
There is a vulnerability in the way Cisco IOS processes DHCP packets.
Exploitation of this vulnerability may lead to a denial of service.
The processing of DHCP packets is enabled by default.
I. Description
The Dynamic Host Configuration Protocol (DHCP) provides a means for
distributing configuration information to hosts on a TCP/IP
network.The Cisco Internetwork Operating System (IOS) contains a
vulnerability that allows malformed DHCP packets to cause an affected
device to stop processing incoming network traffic.
Cisco routers, switches, and line cards provide support for processing
DHCP packets. Cisco devices can act as a DHCP server, providing host
configuration information to clients, or they can forward DHCP and
BootP requests as a relay agent. The affected devices have the DHCP
service enabled by default and will accept and process incoming DHCP
packets. When a DHCP packet is received, it is placed into an input
queue so it can be processed. Undeliverable DHCP packets may remain in
the queue if malformed in a certain way. When the queue becomes full,
the device will stop accepting all traffic on that interface, not just
DHCP traffic.
The DHCP service is enabled by default in IOS. DHCP can only be
disabled when the no service dhcp command is specified in the running
configuration. Cisco notes the following in their advisory:
"Cisco routers are configured to process and accept DHCP
packets by default, therefore the command service dhcp does not
appear in the running configuration display, and only the
command for the disabled feature, no service dhcp, will appear
in the running configuration display when the feature is
disabled. The vulnerability is present, regardless if the DHCP
server or relay agent configurations are present on an affected
product. The only required configuration for this vulnerability
in affected versions is the lack of the no service dhcp
command."
Cisco is tracking this issue as CSCee50294. US-CERT is tracking this
issue as VU#630104.
II. Impact
By sending a specially crafted DHCP packet to an affected device, a
remote, unauthenticated attacker could cause the device to stop
processing incoming network traffic. Repeated exploitation of this
vulnerability could lead to a sustained denial-of-service condition.
In order to regain functionality, the device must be rebooted to clear
the input queue on the interface.
III. Solution
Upgrade to fixed versions of IOS
Cisco has published detailed information about upgrading affected
Cisco IOS software to correct this vulnerability. System managers are
encouraged to upgrade to one of the non-vulnerable releases. For
additional information regarding availability of repaired releases,
please refer to the "Software Versions and Fixes" section of the Cisco
Security Advisory.
Workarounds
Cisco recommends a number of workarounds. For a complete list of
workarounds, see the Cisco Security Advisory.
Appendix A. References
* Vulnerability Note VU#630104 -
<http://www.kb.cert.org/vuls/id/630104>
* Cisco Security Advisory: "Cisco IOS DHCP Blocked Interface
Denial-of-Service" -
<http://www.cisco.com/warp/public/707/cisco-sa-20041110-dhcp.shtml
>
_________________________________________________________________
US-CERT thanks Cisco Systems for notifying us about this problem.
_________________________________________________________________
Feedback can be directed to the authors: Jeff Havrilla, Damon Morda,
and Jason Rafail
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA04-316A.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
Nov 11, 2004: Initial release
Last updated November 11, 2004
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQZP5KBhoSezw4YfQAQLfEAgAlabhwlqCsQXLVFjedNKxa2CmRPYta5aC
GXy6I+TDAVv7V57pz4QE4LxreUEb2vyc8CE4TWUy5PL7+tR0IEduur7XXnOs13Is
O77GyYxBzxtOi+12zAui2wVM8gepobMS6JwYY7V5tyCRZ7mT7lGkVXzO2xHwFsM7
l6meXU/3eO0AjUv5NmJWBuWuGcPny3qyy3M4rgAcRCXIEWaVMnSCAALfSfPS6Ea8
6qYTmXOCbOnEC1RfdnRDgfmnWGwX5RlOPSrDJr3uS5DEkuEvFwaBnIDWMVtQUnvv
oL1jZwbFVY1WNuPIosKSFSBs0U4l7RStiwSw3BF/EbgPrUBg3ugYyw==
=gshZ
-----END PGP SIGNATURE-----