|
|
|
|
| |
It is possible to send an Address Resolution Protocol (ARP) packet on a local broadcast interface (for example: Ethernet, cable, token-ring, FDDI) which could cause a router or switch running specific versions of Cisco IOS Software Release or CatOS to stop sending and receiving ARP packets on the local router interface. This in a short time will cause the router and local hosts to be unable to send packets to each other. ARP packets received by the router for the router's own interface address but a different Media Access Control (MAC) address will overwrite the router's MAC address in the ARP table with the one from the received ARP packet. This was demonstrated to attendees of the Black Hat conference and should be considered to be public knowledge. This attack is only successful against devices on the segment local to the attacker or attacking host.
This vulnerability is documented in Cisco Bug ID CSCdu81936, and a workaround is available. |
| |
Credit:
The information has been provided by Tringali, Michael J. and Cisco Systems Product Security Incident Response Team.
|
| |
Affected Products:
The following products are affected if they run a software release that has the defect.
To determine if a Cisco product is running an affected IOS, log in to the device and issue the command show version. Cisco IOS software will identify itself as "Internetwork Operating System Software" or "IOS (tm)" software and will display a version number. Other Cisco devices either will not have the command show version, or will give different output. Compare the version number obtained from the router with the versions presented in the Software Versions and Fixes section below.
Cisco devices that may be running with affected IOS software releases include:
* Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and 12000 series.
* Most recent versions of the LS1010 ATM switch.
* The Catalyst 6000.
* The Catalyst 2900XL LAN switch.
* The Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are affected.
* The Cisco DistributedDirector.
If you are not running Cisco IOS software, you are not affected by this vulnerability.
Cisco products that do not run Cisco IOS software and are not affected by this defect include, but are not limited to:
* 700 series dialup routers (750, 760, and 770 series) are not affected.
* WAN switching products in the IGX and BPX lines are not affected.
* The MGX (formerly known as the AXIS shelf) is not affected.
* No host-based software is affected.
* The Cisco PIX Firewall is not affected.
* The Cisco LocalDirector is not affected.
* The Cisco Cache Engine is not affected.
Details:
ARP packets, both request and reply, received by the router for the router's own interface address or global Network Address Translation (NAT) entries, but a different MAC address will overwrite the router's MAC address in the router's ARP table with the one in the ARP request or reply. Cisco IOS router devices will defend the MAC address of an interface for several attempts, but in an attempt to prevent an ARP storm, the device will accept the incorrect information into the ARP table, which causes the interface to stop accepting new ARP entries, and entries will not be accepted or updated in the ARP table. This behavior has been repaired to properly defend the interface MAC address, with rate limiting the response to avoid an ARP storm on the local network. This attack can only be carried out from the local network. This defect is documented in Cisco Bug ID CSCdu81936 and is repaired in future versions of Cisco IOS code. This defect is duplicated by the follow!
Impact:
This issue can cause a Cisco Router to be vulnerable to a Denial-of-Service attack, once the ARP table entries time out. This defect does not result in a failure of confidentiality of information stored on the unit, nor does this defect allow hostile code to be loaded onto a Cisco device. This defect may cause a Denial-of-Service on the management functions of a Cisco Switch, but does not affect traffic through the device.
Software versions and fixes:
For a complete table of software fixes, please refer to:
http://www.cisco.com/warp/public/707/IOS-arp-overwrite-vuln-pub.shtml#software
Obtaining fixed software:
Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers with service contracts may upgrade to any software version. Customers without contracts may upgrade only within a single row of the table above, except that any available fixed software will be provided to any customer who can use it and for whom the standard fixed software is not yet available. As always, customers may install only the feature sets they have purchased.
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's Worldwide Web site at http://www.cisco.com. Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge.
Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.
Workarounds:
The workaround for this vulnerability is to enter the router interface MAC address into the ARP table with a configuration entry, sometimes known as "hard coding" the ARP table entry.
The syntax for this command for routers and switches running IOS is as follows:
arp <ip-address> <hardware-address> <type>
The syntax for this command for switches running CatOS is as follows:
set arp [dynamic|permanent|static] <ip_address> <hardware_address>
The caveat to this workaround is identified with defect CSCdv04366, which will clear all manually entered MAC addresses from the ARP table, when they are the same as the interface MAC address, when the command "clear arp" is issued on the router. This workaround does not survive a reboot of the router, and must be re-written to the configuration after any reload or reboot.
|
|
|
|
|
|
|
|
|
|
