Thread-topic: [VulnWatch] Cisco Security Advisory: IOS Heap-based Overflow Vulnerability in System Timers
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Cisco Security Advisory:
> ========================
> IOS Heap-based Overflow Vulnerability in System Timers
> ======================================================
>
> Document ID: 68064
>
> Revision 1.0
>
> For Public Release 2005 November 2 1600 UTC (GMT)
>
> -
> --------------------------------------------------------------
> ---------
>
> Contents
> ========
>
> Summary
> Affected Products
> Background Information Regarding Heap Overflows
> Details
> Impact
> Software Versions and Fixes
> Obtaining Fixed Software
> Workarounds
> Exploitation and Public Announcements
> Status of This Notice: FINAL
> Distribution
> Revision History
> Cisco Security Procedures
>
> -
> --------------------------------------------------------------
> ---------
>
> Summary
> =======
>
> The Cisco Internetwork Operating System (IOS) may permit
> arbitrary code
> execution after exploitation of a heap-based buffer overflow
> vulnerability. Cisco has included additional integrity checks in its
> software, as further described below, that are intended to reduce the
> likelihood of arbitrary code execution.
>
> Cisco has made free software available that includes the additional
> integrity checks for affected customers.
>
> This advisory is posted at
> .
>
> Cisco is not aware of any active exploitation of this vulnerability.
> This advisory documents changes to Cisco IOS? as a result of continued
> research related to the demonstration of the exploit for another
> vulnerability which occurred in July 2005 at the Black Hat USA
> Conference. Cisco addressed the IPv6 attack vector used in that
> demonstration in a separate advisory published on July 29, 2005.
>
> Affected Products
> =================
>
> This security advisory applies to all Cisco products that run
> Cisco IOS
> Software. Any version of Cisco IOS prior to the versions listed in the
> Fixed Software table below may be susceptible to heap overflow
> exploitation.
>
> Cisco IOS XR is not affected.
>
> To determine the software running on a Cisco product, log in to the
> device and issue the "show version" command to display the
> system banner.
> Cisco IOS Software will identify itself as "Internetwork Operating
> System Software" or simply "IOS". On the next line of output,
> the image
> name will be displayed between parentheses, followed by "Version" and
> the IOS release name. Other Cisco devices will not have the
> "show version" command or will give different output.
>
> The following example identifies a Cisco product running IOS release
> 12.3(6) with an installed image name of C3640-I-M:
>
> Cisco Internetwork Operating System Software
> IOS (tm) 3600 Software (C3640-I-M), Version 12.3(6),
> RELEASE SOFTWARE (fc3)
>
>
> The next example shows a product running IOS release
> 12.3(11)T3 with an
> image name of C3845-ADVIPSERVICESK9-M:
>
> Cisco IOS Software, 3800 Software
> (C3845-ADVIPSERVICESK9-M), Version 12.3(11)T3, RELEASE SOFTWARE (fc4)
> Technical Support:
> Copyright (c) 1986-2005 by Cisco Systems, Inc.
>
>
> Additional information about Cisco IOS release naming can be found at
> .
>
> No other Cisco products are currently known to be affected by the
> vulnerability addressed in this advisory.
>
> Background Information Regarding Heap Overflows
> ===============================================
>
> As this security advisory pertains to heap overflows, the following
> additional information is provided to aid in understanding the
> terminology used in this advisory.
>
> RFC 2828 defines a vulnerability as "A flaw or weakness in a system's
> design, implementation, or operation and management that could be
> exploited to violate the system's security policy." The
> threat from any
> particular vulnerability in a system or a protocol depends on the ease
> and likelihood in which the normal operations of a system can be
> disrupted or compromised. In order to minimize the threat, each
> possible attack vector for a particular vulnerability should either be
> mitigated with protections which may prevent the
> circumstances required
> for exploitation or remediated with software that no longer contains
> the vulnerability.
>
> Many forms of malicious software, commonly known as
> "exploits", contain
> a payload that seeks to disrupt or compromise a system delivered
> through well-known attack vectors for particular vulnerabilities. In
> cases where it is likely that unpatched vulnerable systems exist,
> counter-measures are often employed to attempt to block any and all
> attack vectors to minimize the threat of successful exploitation. One
> popular attack method often found in the payload of exploits is known
> as a buffer overflow.
>
> A heap-based overflow is a type of buffer overflow against a data
> structure residing within the memory heap. The memory heap is
> a section
> of system memory used by the operating system of the device to satisfy
> the dynamic data storage requirements for currently running processes.
> In a successful heap-based overflow, the operating system fails to
> enforce bounds checking on a buffer, thus allowing for the possibility
> of overwriting adjacent locations in system memory.
>
> The threat from buffer overflows, like the one described in this
> advisory, may be remediated in multiple ways. One way is to remove the
> particular attack vector so that it no longer exists. Another
> way is to
> employ protections in the underlying system to minimize the
> consequences of any future buffer overflow vulnerabilities that may be
> discovered.
>
> Details
> =======
>
> Cisco IOS may be susceptible to remote code execution through attack
> vectors such as specific heap-based overflows in which internal
> operating system timers may execute arbitrary code from portions of
> memory that have been overwritten via exploitation.
>
> In many cases, a heap-based overflow in Cisco IOS will simply corrupt
> system memory and trigger a system reload when detected by the "Check
> Heaps" process, which constantly monitors for such memory corruption.
> In a successful attack against an appropriate heap-based overflow, it
> is possible to achieve code execution without the device crashing
> immediately.
>
> Cisco has devised counter-measures by implementing extra checks to
> enforce the proper integrity of system timers. This extra validation
> should reduce the possibility of heap-based overflow attack vectors
> achieving remote code execution.
>
> These improvements have been documented in Cisco Bug ID CSCei61732.
>
>
> Impact
> ======
>
> Successful exploitations of heap-based buffer overflow vulnerabilities
> in Cisco IOS software often result in a Denial of Service because the
> exploit causes the router to crash and reload due to
> inconsistencies in
> running memory. In some cases it is possible to overwrite areas of
> system memory and execute arbitrary code from those locations. In the
> event of successful remote code execution, device integrity will have
> been completely compromised.
>
> Software Versions and Fixes
> ===========================
>
> When considering software upgrades, please also consult
>
> es_listing.html
> and any subsequent advisories to determine exposure and a complete
> upgrade solution.
>
> In all cases, customers should exercise caution to be certain the
> devices to be upgraded contain sufficient memory and that current
> hardware and software configurations will continue to be supported
> properly by the new release. If the information is not clear, contact
> the Cisco Technical Assistance Center ("TAC") for assistance.
>
> Each row of the Cisco IOS software table (below) describes a release
> train and the platforms or products for which it is intended. If a
> given release train is vulnerable, then the earliest possible releases
> that contain the fix (the "First Fixed Release") and the anticipated
> date of availability for each are listed in the "Rebuild" and
> "Maintenance" columns. A device running a release in the given train
> that is earlier than the release in a specific column (less than the
> First Fixed Release) is known to be vulnerable. The release should be
> upgraded at least to the indicated release or a later version (greater
> than or equal to the First Fixed Release label).
>
> For further information on the terms "Rebuild" and "Maintenance,"
> please consult the following URL:
> .
>
> +------------------------------------------------------+
> | Major | Availability of Repaired Releases |
> | Release | |
> |------------+-----------------------------------------|
> | Affected | | |
> | 12.0-Based | Rebuild | Maintenance |
> | Release | | |
> |------------+--------------------+--------------------|
> | 12.0 | 12.0(28d) | |
> |------------+-----------------------------------------|
> | 12.0DA | Vulnerable; migrate to 12.2(12)DA9 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0DB | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0DC | Vulnerable; migrate to 12.2(15)BC2i or |
> | | later |
> |------------+-----------------------------------------|
> | | 12.0(28)S5 | |
> | |--------------------+--------------------|
> | 12.0S | 12.0(30)S4 | |
> | |--------------------+--------------------|
> | | 12.0(31)S1 | |
> |------------+-----------------------------------------|
> | 12.0SC | Vulnerable; migrate to 12.2(15)BC2i or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0SL | Vulnerable; migrate to 12.0(31)S1 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0SP | Vulnerable; migrate to 12.0(31)S1 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0ST | Vulnerable; migrate to 12.0(31)S1 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0SX | Vulnerable; contact TAC |
> |------------+-----------------------------------------|
> | 12.0SZ | Vulnerable; migrate to 12.0(31)S1 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0T | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | | 12.0(25)W5-27d | |
> | |--------------------+--------------------|
> | 12.0W5 | 12.0(28)W5-30b | |
> | |--------------------+--------------------|
> | | 12.0(28)W5-32a | |
> |------------+--------------------+--------------------|
> | 12.0WC | 12.0(5)WC13 | |
> |------------+-----------------------------------------|
> | 12.0XA | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XB | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XC | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XD | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XE | Vulnerable; migrate to 12.1(26)E3 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XF | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XG | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XH | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XI | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XJ | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XK | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XL | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XM | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XN | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XQ | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XR | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XS | Vulnerable; migrate to 12.1(26)E3 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.0XV | Vulnerable; migrate to 12.1(27b) or |
> | | later |
> |------------+-----------------------------------------|
> | Affected | | |
> | 12.1-Based | Rebuild | Maintenance |
> | Release | | |
> |------------+--------------------+--------------------|
> | 12.1 | 12.1(27b) | |
> |------------+-----------------------------------------|
> | 12.1AA | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | | Vulnerable; for c3750-ME, migrate to |
> | 12.1AX | 12.2(25)EY3 or later. For c2970 and |
> | | 3750, migrate to 12.2(25)SEB4, 12.2(25) |
> | | SEC2, 12.2(25)SED or later. |
> |------------+-----------------------------------------|
> | 12.1AY | Vulnerable; migrate to 12.1(22)EA4a, |
> | | 12.1(22)EA5a, 12.2(22)EA6 or later |
> |------------+-----------------------------------------|
> | 12.1AZ | Vulnerable; migrate to 12.1(22)EA4a, |
> | | 12.1(22)EA5a, 12.2(22)EA6 or later |
> |------------+-----------------------------------------|
> | 12.1CX | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1DA | Vulnerable; migrate to 12.2(12)DA9 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1DB | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1DC | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | | 12.1(8b)E20 | |
> | |--------------------+--------------------|
> | | 12.1(13)E17 | |
> | 12.1E |--------------------+--------------------|
> | | 12.1(23)E4 | |
> | |--------------------+--------------------|
> | | 12.1(26)E3 | |
> |------------+--------------------+--------------------|
> | | 12.1(22)EA4a | 12.1(22)EA6 |
> | 12.1EA |--------------------+--------------------|
> | | 12.1(22)EA5a | |
> |------------+--------------------+--------------------|
> | 12.1EB | 12.1(26)EB1 | |
> |------------+-----------------------------------------|
> | 12.1EC | Vulnerable; migrate to 12.2(15)BC2i or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1EO | 12.1(20)EO3, | |
> | | available 11/30/05 | |
> |------------+-----------------------------------------|
> | 12.1EU | Vulnerable; migrate to 12.2(20)EU2 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1EV | Vulnerable; migrate to 12.2(26)SV1 or |
> | | later |
> |------------+-----------------------------------------|
> | | 12.1(12c)EW4 | |
> | |--------------------+--------------------|
> | | 12.1(13)EW4 | |
> | 12.1EW |--------------------+--------------------|
> | | 12.1(19)EW3 | |
> | |--------------------+--------------------|
> | | 12.1(20)EW4 | |
> |------------+-----------------------------------------|
> | 12.1EX | Vulnerable; migrate to 12.1(26)E3 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1EY | Vulnerable; migrate to 12.1(26)E3 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1EZ | Vulnerable; migrate to 12.1(26)E3 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1T | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XA | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XB | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XC | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XD | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XE | Vulnerable; migrate to 12.1(26)E3 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XF | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XG | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XH | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XI | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XJ | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XL | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XM | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XP | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XQ | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XR | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XS | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XT | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XU | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XV | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XW | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XX | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1XY | Vulnerable; migrate to 12.2(31) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1YA | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1YB | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1YC | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1YD | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1YE | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1YF | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1YH | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1YI | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.1YJ | Vulnerable; migrate to 12.1(22)EA4a, |
> | | 12.1(22)EA5a, 12.1(22)EA6 or later |
> |------------+-----------------------------------------|
> | Affected | | |
> | 12.2-Based | Rebuild | Maintenance |
> | Release | | |
> |------------+--------------------+--------------------|
> | | 12.2(12m) | |
> | |--------------------+--------------------|
> | | 12.2(17f) | |
> | |--------------------+--------------------|
> | | 12.2(23f) | |
> | |--------------------+--------------------|
> | 12.2 | 12.2(26b) | |
> | |--------------------+--------------------|
> | | 12.2(27b) | |
> | |--------------------+--------------------|
> | | 12.2(28c) | |
> | |--------------------+--------------------|
> | | 12.2(29a) | 12.2(31) |
> |------------+-----------------------------------------|
> | 12.2B | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2BC | 12.2(15)BC2i | |
> |------------+-----------------------------------------|
> | 12.2BX | Vulnerable; migrate to 12.3(7)XI7, |
> | | available 15-Nov-2005 |
> |------------+-----------------------------------------|
> | 12.2BY | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2BZ | Vulnerable; migrate to 12.3(7)XI7, |
> | | available 15-Nov-2005 |
> |------------+-----------------------------------------|
> | 12.2CX | Vulnerable; migrate to 12.2(15)BC2i or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2CY | Vulnerable; migrate to 12.2(15)BC2i or |
> | | later |
> |------------+-----------------------------------------|
> | | 12.2(15)CZ3, | |
> | 12.2CZ | available | |
> | | 3-Nov-2005 | |
> |------------+--------------------+--------------------|
> | | 12.2(10)DA4 | |
> | 12.2DA |--------------------+--------------------|
> | | 12.2(12)DA9 | |
> |------------+-----------------------------------------|
> | 12.2DD | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2DX | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2EU | 12.2(20)EU2 | |
> |------------+--------------------+--------------------|
> | | 12.2(18)EW5 | |
> | 12.2EW |--------------------+--------------------|
> | | 12.2(20)EW3 | |
> |------------+--------------------+--------------------|
> | | 12.2(20)EWA3 | |
> | |--------------------+--------------------|
> | 12.2EWA | 12.2(25)EWA3 | |
> | |--------------------+--------------------|
> | | 12.2(25)EWA4 | |
> |------------+--------------------+--------------------|
> | | | 12.2(25)EX, |
> | 12.2EX | | available |
> | | | 03-Nov-2005 |
> |------------+--------------------+--------------------|
> | 12.2EY | 12.2(25)EY3 | Migrate to 12.2 |
> | | | (25)SED |
> |------------+-----------------------------------------|
> | 12.2EZ | Vulnerable; migrate to 12.2(25)SEC2, |
> | | 12.2(25)SED or later |
> |------------+-----------------------------------------|
> | | | 12.2(25)FX, |
> | 12.2FX | | available |
> | | | 07-Nov-2005 |
> |------------+--------------------+--------------------|
> | 12.2FY | | 12.2(25)FY |
> |------------+-----------------------------------------|
> | 12.2JA | Vulnerable; migrate to 12.3(7)JA1 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2JK | 12.2(15)JK5 | |
> |------------+--------------------+--------------------|
> | 12.2MB | 12.2(4)MB13c | |
> |------------+--------------------+--------------------|
> | 12.2MC | 12.2(15)MC2e | |
> |------------+--------------------+--------------------|
> | | 12.2(14)S15 | |
> | |--------------------+--------------------|
> | | 12.2(18)S10 | |
> | |--------------------+--------------------|
> | | 12.2(20)S9 | |
> | 12.2S |--------------------+--------------------|
> | | 12.2(25)S6 | |
> | |--------------------+--------------------|
> | | 12.2(30)S1, | |
> | | available | |
> | | 14-Nov-2005 | |
> |------------+--------------------+--------------------|
> | 12.2SBC | | 12.2(27)SBC |
> |------------+--------------------+--------------------|
> | | 12.2(25)SEB4 | 12.2(25)SED |
> | 12.2SE |--------------------+--------------------|
> | | 12.2(25)SEC2 | |
> |------------+--------------------+--------------------|
> | 12.2SG | | 12.2(25)SG |
> |------------+--------------------+--------------------|
> | 12.2SO | 12.2(18)SO4 | |
> |------------+-----------------------------------------|
> | 12.2SU | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | | 12.2(26)SV1 | |
> | |--------------------+--------------------|
> | 12.2SV | 12.2(27)SV1, | |
> | | available | |
> | | 15-Nov-2005 | |
> |------------+--------------------+--------------------|
> | | | 12.2(25)SW4 |
> | 12.2SW |--------------------+--------------------|
> | | | 12.2(25)SW4a |
> |------------+-----------------------------------------|
> | 12.2SX | Vulnerable; migrate to 12.2(17d)SXB10 |
> | | or later |
> |------------+-----------------------------------------|
> | 12.2SXA | Vulnerable; migrate to 12.2(17d)SXB10 |
> | | or later |
> |------------+-----------------------------------------|
> | 12.2SXB | 12.2(17d)SXB10 | |
> |------------+--------------------+--------------------|
> | 12.2SXD | 12.2(18)SXD6 | |
> |------------+--------------------+--------------------|
> | 12.2SXE | 12.2(18)SXE3 | |
> |------------+--------------------+--------------------|
> | 12.2SXF | | 12.2(18)SXF |
> |------------+-----------------------------------------|
> | 12.2SY | Vulnerable; migrate to 12.2(17d)SXB10 |
> | | or later |
> |------------+-----------------------------------------|
> | 12.2SZ | Vulnerable; migrate to 12.2(25)S6 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2T | 12.2(15)T17 | |
> |------------+--------------------+--------------------|
> | 12.2TPC | 12.2(8)TPC10a, | |
> | | available TBD | |
> |------------+-----------------------------------------|
> | 12.2XA | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XB | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XC | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XD | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XE | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XF | Vulnerable; migrate to 12.2(15)BC2i or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XG | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XH | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XI | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XJ | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XK | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XL | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XM | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XN | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XQ | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | | 12.2(2)XR and 12.2(4)XR vulnerable, |
> | | migrate to 12.3(16) or later |
> | 12.2XR |-----------------------------------------|
> | | 12.2(15)XR vulnerable; migrate to 12.3 |
> | | (7)JA1 |
> |------------+-----------------------------------------|
> | 12.2XS | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XT | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XU | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XV | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2XW | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YA | 12.2(4)YA11, | |
> | | available TBD | |
> |------------+-----------------------------------------|
> | 12.2YB | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YC | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YD | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YE | Vulnerable; migrate to 12.2(25)S6 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YF | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YG | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YH | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YJ | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YK | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YL | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YM | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YN | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YO | Vulnerable; migrate to 12.2(17d)SXB10 |
> | | or later |
> |------------+-----------------------------------------|
> | 12.2YP | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YQ | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YR | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YS | | 12.2(15)YS |
> |------------+-----------------------------------------|
> | 12.2YT | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YU | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YV | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YW | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YX | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YY | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2YZ | Vulnerable; migrate to 12.2(25)S6 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2ZA | Vulnerable; migrate to 12.2(17d)SXB10 |
> | | or later |
> |------------+-----------------------------------------|
> | 12.2ZB | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2ZC | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2ZD | 12.2(13)ZD4 | |
> |------------+-----------------------------------------|
> | 12.2ZE | Vulnerable; migrate to 12.3(16) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2ZF | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | | Vulnerable; migrate to 12.3(8)YG3 or |
> | 12.2ZG | later for SOHO9x migrate to 12.3(2)XA5 |
> | | or later for c83x |
> |------------+-----------------------------------------|
> | 12.2ZH | 12.2(13)ZH8, | |
> | | available TBD | |
> |------------+-----------------------------------------|
> | 12.2ZJ | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | | Vulnerable; migrate to 12.3(4)XK4 or |
> | 12.2ZL | later for c17xx migrate to 12.4(3a) or |
> | | later for c3200 migrate to 12.3(7)XR6 |
> | | or later for ICS7750 |
> |------------+-----------------------------------------|
> | 12.2ZN | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.2ZP | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | Affected | | |
> | 12.3-Based | Rebuild | Maintenance |
> | Release | | |
> |------------+--------------------+--------------------|
> | | 12.3(3i) | |
> | |--------------------+--------------------|
> | | 12.3(5f) | |
> | |--------------------+--------------------|
> | | 12.3(6f) | |
> | |--------------------+--------------------|
> | | 12.3(9e) | |
> | 12.3 |--------------------+--------------------|
> | | 12.3(10e) | |
> | |--------------------+--------------------|
> | | 12.3(12e) | |
> | |--------------------+--------------------|
> | | 12.3(13b) | |
> | |--------------------+--------------------|
> | | 12.3(15b) | 12.3(16) |
> |------------+-----------------------------------------|
> | 12.3B | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | | 12.3(9a)BC7 | |
> | 12.3BC |--------------------+--------------------|
> | | 12.3(13a)BC1 | |
> |------------+-----------------------------------------|
> | 12.3BW | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | | 12.3(2)JA5 | |
> | |--------------------+--------------------|
> | 12.3JA | 12.3(4)JA1 | |
> | |--------------------+--------------------|
> | | 12.3(7)JA1 | |
> |------------+--------------------+--------------------|
> | 12.3JK | 12.3(2)JK1 | |
> |------------+--------------------+--------------------|
> | 12.3JX | 12.3(7)JX | |
> |------------+--------------------+--------------------|
> | | 12.3(7)T12 | |
> | |--------------------+--------------------|
> | | 12.3(8)T11 | |
> | 12.3T |--------------------+--------------------|
> | | 12.3(11)T8 | |
> | |--------------------+--------------------|
> | | 12.3(14)T4 | |
> |------------+--------------------+--------------------|
> | 12.3TPC | 12.3(4)TPC11a | |
> |------------+--------------------+--------------------|
> | 12.3XA | 12.3(2)XA5, | |
> | | available TBD | |
> |------------+-----------------------------------------|
> | 12.3XB | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.3XC | 12.3(2)XC4 | |
> |------------+-----------------------------------------|
> | 12.3XD | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.3XE | 12.3(4)XE4, | |
> | | available TBD | |
> |------------+-----------------------------------------|
> | 12.3XF | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.3XG | 12.3(4)XG5 | |
> |------------+-----------------------------------------|
> | 12.3XH | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | | 12.3(7)XI7, | |
> | 12.3XI | available | |
> | | 15-Nov-2005 | |
> |------------+-----------------------------------------|
> | 12.3XJ | Vulnerable; migrate to 12.3(11)YF4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.3XK | 12.3(4)XK4 | |
> |------------+-----------------------------------------|
> | 12.3XM | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.3XQ | Vulnerable; migrate to 12.4(3a) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.3XR | 12.3(7)XR6 | |
> |------------+-----------------------------------------|
> | 12.3XS | Vulnerable; migrate to 12.4(3a) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.3XU | Vulnerable; migrate to 12.4(2)T1 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.3XW | Vulnerable; migrate to 12.3(11)YF4 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.3XX | Vulnerable; migrate to 12.4(3a) or |
> | | later |
> |------------+-----------------------------------------|
> | 12.3XY | Vulnerable; migrate to 12.3(14)T4 or |
> | | later |
> |------------+-----------------------------------------|
> | | Vulnerable; migrate to 12.4(3a) or |
> | 12.3YA | later for C828; migrate to 12.3(8)YG3 |
> | | or later for SOHO9x, C83x |
> |------------+-----------------------------------------|
> | 12.3YD | Vulnerable; migrate to 12.4(2)T1 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.3YF | 12.3(11)YF4 | |
> |------------+--------------------+--------------------|
> | 12.3YG | 12.3(8)YG3 | |
> |------------+-----------------------------------------|
> | 12.3YH | Vulnerable; migrate to 12.3(8)YI3 or |
> | | later |
> |------------+-----------------------------------------|
> | 12.3YI | 12.3(8)YI3 | |
> |------------+--------------------+--------------------|
> | 12.3YJ | 12.3(14)YQ3 | |
> |------------+--------------------+--------------------|
> | 12.3YK | 12.3(11)YK2 | |
> |------------+--------------------+--------------------|
> | 12.3YQ | 12.3(14)YQ3 | |
> |------------+--------------------+--------------------|
> | 12.3YS | 12.3(11)YS1 | |
> |------------+--------------------+--------------------|
> | 12.3YT | 12.3(14)YT1 | |
> |------------+--------------------+--------------------|
> | 12.3YU | 12.3(14)YU1 | |
> |------------+--------------------+--------------------|
> | Affected | | |
> | 12.4-Based | Rebuild | Maintenance |
> | Release | | |
> |------------+--------------------+--------------------|
> | | 12.4(1b) | |
> | 12.4 |--------------------+--------------------|
> | | 12.4(3a) | |
> |------------+--------------------+--------------------|
> | 12.4MR | | 12.4(2)MR1 |
> |------------+--------------------+--------------------|
> | 12.4T | 12.4(2)T1 | |
> |------------+--------------------+--------------------|
> | 12.4XA | | 12.4(2)XA |
> |------------+--------------------+--------------------|
> | | | 12.4(2)XB, |
> | 12.4XB | | available |
> | | | 18-Nov-2005 |
> +------------------------------------------------------+
>
> Obtaining Fixed Software
> ========================
>
> Customers with Service Contracts
> +-------------------------------
>
> Customers with contracts should obtain upgraded software through their
> regular update channels. For most customers, this means that upgrades
> should be obtained through the Software Center on Cisco's worldwide
> website at .
>
> Customers using Third-party Support Organizations
> +------------------------------------------------
>
> Customers whose Cisco products are provided or maintained
> through prior
> or existing agreement with third-party support organizations such as
> Cisco Partners, authorized resellers, or service providers should
> contact that support organization for assistance with the upgrade,
> which should be free of charge.
>
> Customers without Service Contracts
> +----------------------------------
>
> Customers who purchase direct from Cisco but who do not hold a Cisco
> service contract and customers who purchase through
> third-party vendors
> but are unsuccessful at obtaining fixed software through
> their point of
> sale should get their upgrades by contacting the Cisco Technical
> Assistance Center (TAC). TAC contacts are as follows.
>
> * +1 800 553 2447 (toll free from within North America)
> * +1 408 526 7209 (toll call from anywhere in the world)
> * e-mail: tac@xxxxxxxxx
>
> Please have your product serial number available and give the URL of
> this notice as evidence of your entitlement to a free upgrade. Free
> upgrades for non-contract customers must be requested through the TAC.
>
> Please do not contact either "psirt@xxxxxxxxx" or
> "security-alert@xxxxxxxxx" for software upgrades.
>
> See for
> additional TAC contact information, including special localized
> telephone numbers and instructions and e-mail addresses for use in
> various languages.
>
> Customers may only install and expect support for the feature
> sets they
> have purchased. By installing, downloading, accessing or otherwise
> using such software upgrades, customers agree to be bound by the terms
> of Cisco's software license terms found at
> , or as
> otherwise
> set forth at Cisco.com Downloads at
> .
>
> Workarounds
> ===========
>
> There are no workarounds or configuration changes that will implement
> counter-measures equivalent to the increased integrity checks
> on system
> timers that have been introduced. In order to reduce the potential for
> system timer-related arbitrary code execution, an IOS upgrade is
> necessary.
>
> Successful exploitation requires an appropriate attack vector such as
> the vulnerability described in
> .
> Vulnerability specific workarounds and mitigation steps may help to
> minimize the threat to the device by removing or minimizing the
> available attack vectors, but the device could still be vulnerable
> through any other attack vectors in which a software fix or
> mitigation
> has not been implemented.
>
> Exploitation and Public Announcements
> =====================================
>
> The Cisco PSIRT is not aware of malicious use of the vulnerability
> described in this advisory. Exploit code exists for this
> vulnerability.
> It was used in a demonstration by Mike Lynn on July 27, 2005 at the
> Black Hat USA 2005 security conference where a heap overflow via an
> IPv6 attack vector achieved remote code execution. The IPv6 attack
> vector was addressed separately in a Cisco security advisory released
> on July 29, 2005.
>
> Status of This Notice: FINAL
> ============================
>
> THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
> KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF
> MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE ADVISORY OR
> MATERIALS LINKED FROM THE ADVISORY IS AT YOUR OWN RISK. CISCO RESERVES
> THE RIGHT TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME.
>
> A stand-alone copy or paraphrase of the text of this security advisory
> that omits the distribution URL in the following section is an
> uncontrolled copy, and may lack important information or contain
> factual errors.
>
> Distribution
> ============
>
> This advisory is posted on Cisco's worldwide website at
> .
>
> In addition to worldwide web posting, a text version of this notice is
> clear-signed with the Cisco PSIRT PGP key and is posted to the
> following e-mail and Usenet news recipients.
>
> * cust-security-announce@xxxxxxxxx
> * first-teams@xxxxxxxxx (includes CERT/CC)
> * bugtraq@xxxxxxxxxxxxxxxxx
> * vulnwatch@xxxxxxxxxxxxx
> * cisco@xxxxxxxxxxxxxxxxx
> * cisco-nsp@xxxxxxxxxxxxxxx
> * full-disclosure@xxxxxxxxxxxxxxxxx
> * comp.dcom.sys.cisco@xxxxxxxxxxxxxxxxxx
>
> Future updates of this advisory, if any, will be placed on Cisco's
> worldwide website, but may or may not be actively announced on mailing
> lists or newsgroups. Users concerned about this problem are encouraged
> to check the above URL for any updates.
>
> Revision History
> ================
>
> +----------------------------------------------------+
> | | | |
> | Revision 1.0 | 2-Nov-2005 | Initial public release |
> | | | |
> +----------------------------------------------------+
>
> Cisco Security Procedures
> =========================
>
> Complete information on reporting security vulnerabilities in Cisco
> products, obtaining assistance with security incidents, and
> registering
> to receive security information from Cisco, is available on Cisco's
> worldwide website at
>
> ility_policy.html.
> This includes instructions for press inquiries regarding
> Cisco security
> notices. All Cisco security advisories are available at
> .
>
> -
> --------------------------------------------------------------
> ---------
>
> All contents are Copyright 1992-2005 Cisco Systems, Inc. All rights
> reserved.
>
> -
> --------------------------------------------------------------
> ---------
>
> Updated: Nov 02, 2005 Document
> ID: 68064
>
> -
> --------------------------------------------------------------
> ---------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFDaOt+ezGozzK2tZARArUkAKCbXRtfxKZDQ3T5x3NDU09kMiMdgACggaVp
> BH34hLlTWTtB/YyiMkOhiBY=
> =qUE2
> -----END PGP SIGNATURE-----
>
