The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[NEWS] Cisco Internetwork Operating System IPv6 DoS and Arbitrary Code Execution


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 1 Aug 2005 18:44:20 +0200
Subject: [NEWS] Cisco Internetwork Operating System IPv6 DoS and Arbitrary Code Execution
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050801162937.3BB2F5802@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  Cisco Internetwork Operating System IPv6 DoS and Arbitrary Code Execution
------------------------------------------------------------------------


SUMMARY

IPv6 is the "Internet Protocol Version 6", designed by the Internet 
Engineering Task Force (IETF) to replace the current version Internet 
Protocol, IP Version 4 (IPv4).

Cisco Internetwork Operating System (IOS ) Software is vulnerable to a 
Denial of Service (DoS) and potentially an arbitrary code execution attack 
from a specifically crafted IPv6 packet. The packet must be sent from a 
local network segment. Only devices that have been explicitly configured 
to process IPv6 traffic are affected. Upon successful exploitation, the 
device may reload or be open to further exploitation.

DETAILS

Vulnerable Systems:
A list of vulneable systems can be found at:  
<http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml#software> http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml#software

Techincal Details:
A vulnerability exists in the processing of IPv6 packets. Crafted packets 
from the local segment received on logical interfaces (that is, tunnels 
including 6to4 tunnels) as well as physical interfaces can trigger this 
vulnerability. Crafted packets can not traverse a 6to4 tunnel and attack a 
box across the tunnel.

The crafted packet must be sent from a local network segment to trigger 
the attack. This vulnerability can not be exploited one or more hops from 
the IOS device.

This issue affects all Cisco devices running any unfixed version of Cisco 
IOS or Cisco IOS XR code that supports, and is configured for, IPv6. A 
system which supports IPv6, if not specifically configured for IPv6, is 
not affected. You can use the show ipv6 interface  command to determine 
whether IPv6 is enabled on a system.

Successful exploitation of the vulnerability on Cisco IOS may result in a 
reload of the device or execution of arbitrary code. Repeated exploitation 
could result in a sustained DoS attack or execution of arbitrary code on 
Cisco IOS devices.

Successful exploitation of the vulnerability on Cisco IOS-XR may result in 
a restart of the IPv6 neighbor discovery process. A restart of this 
process will only affect IPv6 traffic passing through the system. All 
other processes and traffic will be unaffected. Repeated exploitation 
could result in a sustained DoS attack on IPv6 traffic.

Example:
Sample output of the show ipv6 interface command is shown below for two 
systems, one not configured for IPv6 and one configured for IPv6.
An empty output or an error message will be displayed if IPv6 is disabled 
or unsupported on the system.

 Router#show ipv6 int fa 0/0
 -here you see blank output

In the example below the system is vulnerable.

Router#show ipv6 interface
Serial1/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:D200
  Global unicast address(es):
    2001:1:33::3, subnet is 2001:1:33::/64
  Joined group address(es):
    FF02::1
    FF02::1:FF00:3
    FF02::1:FF00:D200
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
Router#

A router that has IPv6 enabled on a physical or logical interface is 
vulnerable to this issue even if ipv6 unicast-routing is globally 
disabled. The show ipv6 interface command can be used to determine whether 
IPv6 is enabled on any interface.

To determine the software running on a Cisco product, log in to the device 
and issue the show version command to display the system banner. Cisco IOS 
Software will identify itself as "Internetwork Operating System Software" 
or simply "IOS." On the next line of output, the image name will be 
displayed between parentheses, followed by "Version" and the IOS release 
name. Other Cisco devices will not have the show version command or will 
give different output.

The following example shows a product running IOS release 12.3(6) with an 
image name of C2600-JS-MZ:
Cisco Internetwork Operating System Software IOS (tm)
C2600 Software (C2600-JS-MZ), Version 12.3(6), RELEASE SOFTWARE (fc1)

Additional information about Cisco IOS release naming can be found at  
<http://www.cisco.com/warp/public/620/1.html>; 
http://www.cisco.com/warp/public/620/1.html.

A system that is running a Cisco IOS XR version prior to 3.2 is also 
affected by this vulnerability if configured for IPv6. The show ipv6 
interface command can be used to identify whether IPv6 is enabled on a 
system running Cisco IOS XR.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:psirt@cisco.com.> Cisco.com.
The original article can be found at:  
<http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml>; 
http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру