-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco Security Advisory: IPv6 Crafted Packet Vulnerability
Revision 1.0
For Public Release 2005 July 29 0800 UTC
-
---
Contents
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: INTERIM
Distribution
Revision History
Cisco Security Procedures
- --
Summary
===
Cisco Internetwork Operating System (IOS ) Software is vulnerable to a Denial
of Service (DoS) and potentially an arbitrary code execution attack from a
specifically crafted IPv6 packet. The packet must be sent from a local network
segment. Only devices that have been explicitly configured to process IPv6
traffic are affected. Upon successful exploitation, the device may reload or be
open to further exploitation.
Cisco has made free software available to address this vulnerability for all
affected customers.
This advisory will be posted at
http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.
Affected Products
=
Vulnerable Products
This issue affects all Cisco devices running any unfixed version of Cisco IOS
code that supports, and is configured for, IPv6. A device which supports IPv6
must have the interfaces specifically disabled to not be affected. IPv6 must be
completely disabled using both the command no ipv6 address and no ipv6 enable
on each interface.
Sample output of the show ipv6 interface command is shown below for two
systems, one not configured for IPv6 and one configured for IPv6.
An empty output or an error message will be displayed if IPv6 is disabled or
unsupported on the system.
Router#show ipv6 int fa 0/0
-here you see blank output
In the example below the system is vulnerable.
Router#show ipv6 interface
Serial1/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:D200
Global unicast address(es):
2001:1:33::3, subnet is 2001:1:33::/64
Joined group address(es):
FF02::1
FF02::1:FF00:3
FF02::1:FF00:D200
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 3 milliseconds
Router#
A router that has IPv6 enabled on a physical or logical interface is vulnerable
to this issue even if ipv6 unicast-routing is globally disabled. The show ipv6
interface command can be used to determine whether IPv6 is enabled on any
interface.
To determine the software running on a Cisco product, log in to the device and
issue the show version command to display the system banner. Cisco IOS Software
will identify itself as Internetwork Operating System Software or simply
IOS. On the next line of output, the image name will be displayed between
parentheses, followed by Version and the IOS release name. Other Cisco
devices will not have the show version command or will give different output.
The following example shows a product running IOS release 12.3(6) with an image
name of C2600-JS-MZ:
Cisco Internetwork Operating System Software IOS (tm)
C2600 Software (C2600-JS-MZ), Version 12.3(6), RELEASE SOFTWARE (fc1)
Additional information about Cisco IOS release naming can be found at http://
www.cisco.com/warp/public/620/1.html.
Products Confirmed Not Vulnerable
Products that are not running Cisco IOS are not affected.
Products running any version of Cisco IOS that do not have IPv6 configured
interfaces are not vulnerable.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
===
IPv6 is the Internet Protocol Version 6, designed by the Internet Engineering
Task Force (IETF) to replace the current version Internet Protocol, IP Version
4 (IPv4).
A vulnerability exists in the processing of IPv6 packets. Crafted packets from
the local segment received on logical interfaces (that is, tunnels including
6to4 tunnels) as well as physical interfaces can trigger this vulnerability.
Crafted packets can not traverse a 6to4 tunnel and attack a box across the
tunnel.
The crafted packet must be sent from a local network segment to trigger the
attack. This vulnerability can not be exploited one or more hops from the IOS
device.
This issue is documented in Cisco bug ID CSCef68324.
Impact
==
Successful exploitation of the vulnerability may result in a reload of the
device or execution of arbitrary code. Repeated exploitation could result in a
sustained DoS attack or execution of arbitrary code.
Software Versions and Fixes
===
Each row of the Cisco IOS software table below describes a release train and
the platforms
