-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS IPS Denial of Service
Vulnerability
Advisory ID: cisco-sa-20080924-iosips
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
Revision 1.0
For Public Release 2008 September 24 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
======
The Cisco IOS Intrusion Prevention System (IPS) feature contains a
vulnerability in the processing of certain IPS signatures that use
the SERVICE.DNS engine. This vulnerability may cause a router to
crash or hang, resulting in a denial of service condition.
Cisco has released free software updates that address this
vulnerability. There is a workaround for this vulnerability.
Note: This vulnerability is not related in any way to CVE-2008-1447 -
Cache poisoning attacks. Cisco Systems has published a Cisco Security
Advisory for that vulnerability, which can be found at
http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
Note: The September 24, 2008 IOS Advisory bundled publication
includes twelve Security Advisories. Eleven of the advisories address
vulnerabilities in Cisco's IOS software, and one advisory addresses
vulnerabilities in Cisco Unified Communications Manager. Each
Advisory lists the releases that correct the vulnerability described
in the Advisory. Please reference the following software table to
find a release that fixes all published IOS software Advisories as of
September 24th, 2008:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml
Individual publication links are listed below:
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
* http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
Affected Products
================
Vulnerable Products
+------------------
Any Cisco IOS device configured with the Cisco IOS IPS feature is
vulnerable, regardless if it is configured to use the built-in
signatures or an external signature file. Devices using either
version 4 or version 5 signatures are affected by this vulnerability.
The Cisco IOS IPS feature is not enabled by default. The command show
ip ips interfaces can be used to determine if the Cisco IOS IPS
feature has been configured and applied to any interface on the
device, as in the following example:
Router#show ip ips interfaces
Interface Configuration
Interface FastEthernet0/0
Inbound IPS rule is ios-ips-incoming
Outgoing IPS rule is not set
Interface FastEthernet0/1
Inbound IPS rule is not set
Outgoing IPS rule is ios-ips-outgoing
Router#
The output of the show ip ips interfaces command when the Cisco IOS
IPS feature has not been configured is dependent on which Cisco IOS
release is installed and running on the device. It may be similar to
the following example:
Router#show ip ips interfaces
Router#
or it may be similar to the following:
Router#show ip ips interfaces
Interface Configuration
IPS is not configured on any interface
Router#
Any version of Cisco IOS prior to the versions which are listed in
the Software Versions and Fixes section below is vulnerable.
To determine the version of the Cisco IOS software running on a Cisco
product, log in to the device and issue the show version command to
display the system banner. Cisco IOS software will identify itself as
"Internetwork Operating System Software" or simply "IOS". On the next
line of output, the image name will be displayed between parentheses,
followed by "Version" and the IOS release name. Other Cisco devices
will not have the show version command or will give different output.
The following example identifies a Cisco product running Cisco IOS
Software release 12.3(26) with an installed image name of C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih