Laptop Battery Cisco Security Advisory: ICMP Unreachable Vulnerability in Cisco
12000
Featuring the entire range of Cisco routers from the 800 series (ideal for small offices to operate secure concurrent services at broadband speeds), through to the 12000 series (with up to 1. second switching capacity). More »
Thinkpad Series Internet Router
Cisco Systems, Inc., is the largest manufacturer of networking systems in the world. It dominates the router and switch market to the extent that Cisco routers and switches are considered by many networking professionals to set the standard for all other companies. Cisco routers, switches, and other equipment keep running without problems, are readily upgraded, are easily adapted to new network configurations, and are compatible with virtually every transport or access method.
Microsoft Revision 1.1
For service providers who want to deploy IP networks to meet customer demand while increasing profitability, the Cisco 12000 Series offers the only portfolio of 10 Gbps systems with the capacity, performance, services. VRP3 ( router)
Laptop Computers For Public Release 2001 November 14 08:00 (UTC -0800)
CUE= (Cisco Advanced Integration Module voice interface card) CUE= (Cisco Advanced Integration Module voice interface card) The advanced integration module ( CUE) is a new form factor for Cisco Unity Express. Because it resides on the motherboard of the router. 30 (Cisco voice interface card) 30 (Cisco voice interface card)
Laptop Computer Last Update 2001 November 15 12:00 (UTC -0800)
From £3, 202.00 Up to 49% off list price Cisco's flagship platform in their new generation of integrated service routers. Cisco 3800 Cisco's flagship platform in their new generation of integrated service routers. More » From £3, 304.00 Up to 49% off list price aggregation scenarios. 7300
Desktop Computer Please provide your on this document.
Notebooks Summary
Lenovo The performance of Cisco 12000 series routers can be degraded
when they have
Hard Drive To send a large number of ICMP unreachable packets. This
situation usually can
Travelstar Occur during heavy network scanning. This vulnerability is
tracked by three
Gateway Different bug IDs: CSCdr46528, CSCdt66560, CSCds36541. Each
Laptop Parts Bug ID is assigned to a different Engine the line card is based
upon.
Software The rest of the Cisco routers and switches are not affected by
this
Hard Drives Vulnerability. It is specific for Cisco 12000 Series.
Electronics No other Cisco product is vulnerable.
Canon The workaround is to either prevent the router from sending
unreachable
Desktop Pc Internet Control Message Protocol (ICMPs) at all or to rate
limit them.
Desktop Computers This advisory is available at
Think Pad Affected Products
Repair Only Cisco 12000 Series Internet Routers are affected with
this
Data Recovery Vulnerability. No other routers or switches are affected. Not
all line cards of
Cisco A Cisco 12000 Series are affected by this vulnerability.
Vulnerability is
Keyboard Present in the underlying technology an individual line card is
based upon. That
Monitor Technology is called "Engine". Currently, Cisco is shipping line
cards based on
Desktop The following Engines: 0, 1, 2, 3, and 4.
Infosys To determine what Engine your card is based on, you need to log
on the Cisco
Refurbished Laptops 12000 router and issue "sh diag" command while in enable mode.
The engine
Wipro Type will be displayed as "L3 Engine: x" where x will be the
Lap Top Corresponding number.
Refurbished The following example shows the output for an Engine 2 based
line card.
Memory C12000#sh diag
Intel SLOT 1 (RP/LC 1 ): 1 Port Packet Over SONET OC-48c/STM-16 Single
Mode/SR SC-SC connector
As400 MAIN: type 41, 800-5271-01 rev A0 dev 0
Averatec HW config: 0x04 SW key: 00-00-00
Hardware PCA: 73-3295-05 rev A0 ver 5
Dual Xeon HW version 1.1 S/N SDK034004AY
Storage MBUS: Embedded Agent
Seagate Test hist: 0x00 RMA#: 00-00-00 RMA hist: 0x00
Computer Sales DIAG: Test count: 0x00000000 Test results: 0x00000000
Computer Hardware L3 Engine: 2 - Backbone OC48 (2.5 Gbps)
Printers ^^^^^^^^^^^^ <- Note the engine type
Technology [further output truncated]
Mainframe All line cards that are based on the Engines 0, 1 and 2 are
vulnerable. Line
Samsung Cards based on the Engine 3 and 4 are not affected.
Computer Repair The following table depicts which Cisco IOS/SUP> Software
Release is
Used Computers Vulnerable to a particular issue:
Network DDTS
Digital Cameras 12.0S
Desktops 12.0ST
Cognos CSCdr46528
Hosting Vulnerable
Netfinity Vulnerable
Internet CSCds36541
Cheap Computer Vulnerable
Digital Camera Vulnerable
Printer CSCdt66560
Xseries Vulnerable
Maxtor Vulnerable
Data Storage Details
Hitachi The received packet will be dropped when either there is no
valid path to the
Rational Destination or when the packet should be routed to the Null0
interface. The
Websphere Packets are either fast dropped (Engine 0 Line Cards) or
hardware dropped (all
Battery Other application-specific integrated circuit (ASIC) based
forwarding Line
It Support Cards). Given the fast and hardware drop capabilities of the
Cisco 12000, a
Western Digital Large volume of traffic can be dropped without impacting the
capabilities of the
Music Router. Whenever a packet is dropped the router must send an
ICMP unreachable
Networks Packet back to the source. That is mandated by the Internet
Standards.
Toner When a high volume of traffic is sent to the router that
requires ICMP
Cheap Laptops Unreachable replies, the processing of the replies can saturate
the CPU. This
Wholesale Condition can happen when the router is "Black Hole" filtering,
dropping packets
Brother Sent to it as the network?s default path, or from a direct
Denial of Service
Netvista (DOS) against the router. For further information of "Black
Hole" filtering
Camera Consult the document: , section "Black Hole Routing as a
Networking Packet Filter".
Sharp The following table shows the relationship between the
vulnerabilities and
Cheap Engine the line card is based on.
Windows DDTS
Monitors Engine 0
Linux Engine 1
Computer Support Engine 2
Used Laptops Engine 4
Cameras CSCdr46528
Scanners Vulnerable
Panasonic CSCds36541
Workstation Vulnerable
Iseries CSCdt66560
Backup Vulnerable
Information Technology Impact
Routers Exploitation of this vulnerabilities may lead to the
Denial-of-Service. The
180gxp Router's performance will degrade and, in the worst case
scenario, the router
Notebook Battery Will stop forwarding packets.
Security Software Versions and Fixes
Lotus Each row of the table describes a release train and the
platforms or products
Virus For which it is intended. If a given release train is
vulnerable, then the
Thinkpad T42 Earliest possible releases that contains the fix and the
anticipated date of
Thinkpad 600 Availability for each are listed in the "Rebuild", "Interim",
and "Maintenance"
Thinkpad 600e Columns. A device running any release in the given train that is
earlier than
Thinkpad 570 The release in a specific column (less than the earliest fixed
release) is known
Thinkpad 600x To be vulnerable, and it should be upgraded at least to the
indicated release or
Thinkpad 390x A later version (greater than the earliest fixed release
label).
Thinkpad A31 When selecting a release, keep in mind the following
definitions:
Thinkpad X20 Maintenance
Bios Update Most heavily tested and highly recommended release of any label
in a given
Laptops Row of the table.
Toshiba Rebuild
Laptop Battery Constructed from the previous maintenance or major release in
the same train,
Thinkpad It contains the fix for a specific defect. Although it receives
less testing, it
Microsoft Contains only the minimal changes necessary to effect the
repair.
Laptop Computers Interim
Laptop Computer Built at regular intervals between maintenance releases and
receives less
Desktop Computer Testing. Interim releases should be selected only if there is no
other suitable
Notebooks Release that addresses the vulnerability, and interim images
should be upgraded
Lenovo To the next available maintenance release as soon as possible.
Interim releases
Hard Drive Are not available via manufacturing, and usually they are not
available for
Travelstar Customer download from CCO without prior arrangement with the
Cisco TAC.
Gateway In all cases, customers should exercise caution to be certain
the devices to
Laptop Parts Be upgraded contain sufficient memory and that current hardware
and software
Software Configurations will continue to be supported properly by the new
release. If the
Hard Drives Information is not clear, contact the Cisco TAC for assistance
as shown in the
Electronics Following section.
Canon More information on Cisco IOS software release names and
abbreviations is
Desktop Pc Available at .
Desktop Computers Train
Think Pad Description of Image or Platform
Repair Availability of Fixed Releases*
Data Recovery Vulnerability CSCdr46528
Cisco Rebuild
Keyboard Interim**
Monitor Maintenance
Desktop 12.0S
Infosys Core/ISP support: GSR, RSP, c7200
Refurbished Laptops 12.0(16)S1
Wipro 12.0(16.5)S
Lap Top 12.0(17)S
Refurbished 12.0ST
Memory Cisco IOS software Release 12.OST is an early deployment (ED)
release for
Intel The Cisco 7200, 7500/7000RSP and 12000 (GSR) series routers for
Service
As400 Providers (ISPs).
Averatec 12.0(15.6)ST3
Hardware 12.0(16.5)ST
Dual Xeon 12.0(16)ST
Storage Vulnerability CSCds36541
Seagate Rebuild
Computer Sales Interim**
Computer Hardware Maintenance
Printers 12.0S
Technology Core/ISP support: GSR, RSP, c7200
Mainframe 12.0(13.6)S2
Samsung 12.0(14.1)S
Computer Repair 12.0(14)S
Used Computers 12.0ST
Network Cisco IOS software Release 12.OST is an early deployment (ED)
release for
Digital Cameras The Cisco 7200, 7500/7000RSP and 12000 (GSR) series routers for
Service
Desktops Providers (ISPs).
Cognos 12.0(14.3)ST
Hosting Vulnerability CSCdt66560
Netfinity Rebuild
Internet Interim**
Cheap Computer Maintenance
Digital Camera 12.0S
Printer Core/ISP support: GSR, RSP, c7200
Xseries 12.0(16)S1
Maxtor 12.0(16.6)S
Data Storage 12.0(17)S
Hitachi 12.0ST
Rational Cisco IOS software Release 12.OST is an early deployment (ED)
release for
Websphere The Cisco 7200, 7500/7000RSP and 12000 (GSR) series routers for
Service
Battery Providers (ISPs).
It Support 12.0(15.6)ST3
Western Digital 12.0(16.6)ST
Music 12.0(16)ST
Networks Notes
Toner * All dates are estimates and subject to change.
Cheap Laptops ** Interim releases are subjected to less rigorous testing
than
Wholesale Regular maintenance releases, and may have serious bugs.
Brother Obtaining Fixed Software
Netvista Cisco is offering free software upgrades to eliminate this
vulnerability for
Camera All affected customers.
Networking Customers with contracts should obtain upgraded software through
their
Sharp Regular update channels. For most customers, this means that
upgrades should be
Cheap Obtained through the Software Center on Cisco's Worldwide Web
site at . Customers whose Cisco
Windows Products are provided or maintained through prior or existing
agreement with
Monitors Third-party support organizations such as Cisco Partners,
authorized resellers,
Linux Or service providers should contact that support organization
for assistance
Computer Support With the upgrade, which should be free of
charge.
Used Laptops Customers without contracts should get their upgrades by
contacting the Cisco
Cameras Technical Assistance Center (TAC). TAC contacts are as
follows:
Scanners +1 800 553 2447 (toll-free from within North America)
Panasonic +1 408 526 7209 (toll call from anywhere in the world)
Workstation E-mail:
Iseries Give the of this notice as evidence of your
Backup Entitlement to a free upgrade. Free upgrades for non-contract
customers
Information Technology Must be requested through the TAC. Please do not contact
either
Routers "psirt@cisco.com" or "security-alert@cisco.com" for software
upgrades.
180gxp Workarounds
Notebook Battery There are two workarounds for this issue. The first one is to
prevent the
Security Router from sending ICMP unreachables at all. That behavior is
governed with the
Lotus No ip unreachables command. This command should be applied on
an
Virus Interface, such as in this example:
Thinkpad T42 Router(config)#interface ethernet 0
Thinkpad 600 Router(config-if)#no ip unreachables
Thinkpad 600e It is possible to mitigate the problem by rate limiting number
of ICMP
Thinkpad 570 Unreachables packets that are sent. Here is the example:
Thinkpad 600x Router(config)#ip icmp rate-limit unreachable n
Thinkpad 390x Where n is the number of milliseconds between two consecutive
ICMP
Thinkpad A31 Unreachable packets. The default value is 500. That means that
one ICMP
Thinkpad X20 Unreachable packet is send every 500 ms.
Bios Update Exploitation and Public Announcements
Laptops The Cisco PSIRT is aware that some ISPs have experiencing
difficulties due to
Toshiba This vulnerability.
Laptop Battery Status of This Notice: Final
Thinkpad This is a final notice. Although Cisco cannot guarantee the
accuracy of all
Microsoft Statements in this notice, all of the facts have been checked to
the best of our
Laptop Computers Ability. Cisco does not anticipate issuing updated versions of
this notice
Laptop Computer Unless there is some material change in the facts. Should there
be a significant
Desktop Computer Change in the facts, Cisco may update this
notice.
A standalone copy or
Notebooks Paraphrase of the text of this security advisory that omits the
distribution URL
Lenovo In the following section is an uncontrolled copy, and may lack
important
Hard Drive Information or contain factual errors.
Travelstar Distribution
Gateway This notice will be posted on Cisco's Worldwide Web site at
.
Laptop Parts In addition to Worldwide Web posting, a text version of this
notice is
Software Clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail
Hard Drives And Usenet news recipients:
Electronics Cust-security-announce@cisco.com
Canon Bugtraq@securityfocus.com
Desktop Pc First-teams@first.org (includes CERT/CC)
Desktop Computers Cisco@spot.colorado.edu
Think Pad Comp.dcom.sys.cisco
Repair Firewalls@lists.gnac.com
Data Recovery Various internal Cisco mailing lists
Cisco Future updates of this notice, if any, will be placed on Cisco's
Worldwide
Keyboard Web server, but may or may not be actively announced on mailing
lists or
Monitor Newsgroups. Users concerned about this problem are encouraged
t
Desktop Revision 1.0
Infosys 2001-Nov-14 08:00 UTC -0800
Refurbished Laptops Initial public release
Wipro Revision 1.1
Lap Top 2001-Nov-15 12:00 UTC -0800
Refurbished Changed tables entries for the Affected Products and Software
Versions and
Memory Fixes sections.
Intel O check the URL given above for any
updates.
As400 Revision History
Averatec Cisco Security Procedures
Hardware Complete information on reporting security vulnerabilities in
Cisco products,
Dual Xeon Obtaining assistance with security incidents, and registering to
receive
Storage Security information from Cisco, is available on Cisco's
Worldwide Web site at
Seagate .
Computer Sales This includes instructions for press inquiries regarding Cisco
security notices.
Computer Hardware All Cisco Security Advisories are available at
.
Printers This notice is Copyright 2001 by Cisco Systems, Inc. This notice
may be
Technology Redistributed freely after the release date given at the top of
the text,
Mainframe Provided that redistributed copies are complete and unmodified,
and include all
Samsung Date and version information.
[ Comment, Edit or Article Submission ]
