[nsp] Cisco Security Advisory: IOS ARP Table Overwrite Vulnerability

From: Cisco Systems Product Security Incident Response Team (psirt@cisco.com)
Date: Thu Nov 15 2001 - 11:30:00 EST


-----BEGIN PGP SIGNED MESSAGE-----

Cisco Security Advisory: Cisco IOS ARP Table Overwrite Vulnerability
=========================================================================

Revision 1.0

For Release 2001 November 15 08:00 AM US/Pacific (UTC -0700)

- -------------------------------------------------------------------------

Summary
=======

It is possible to send an Address Resolution Protocol (ARP) packet on a
local broadcast interface (for example: ethernet, cable, tokenring, fddi)
which could cause a router or switch running specific versions of Cisco
IOS® Software Release or CatOS to stop sending and receiving ARP packets
on the local router interface. This will in a short time cause the
router and local hosts to be unable to send packets to each other. ARP
packets received by the router for the router's own interface address
but a different Media Access Control (MAC) address will overwrite the
router's MAC address in the ARP table with the one from the received ARP
packet. This was demonstrated to attendees of the Black Hat conference
and should be considered to be public knowledge. This attack is only
successful against devices on the segment local to the attacker or
attacking host.

This vulnerability is documented in Cisco Bug ID CSCdu81936, and a
workaround is available.

The complete notice will be available at http://www.cisco.com/warp/public
/707/IOS-arp-overwrite-vuln-pub.shtml
 

Affected Products
=================

The following products are affected if they run a software release that
has the defect.

To determine if a Cisco product is running an affected IOS, log in to the
device and issue the command show version. Cisco IOS software will
identify itself as "Internetwork Operating System Software" or "IOS (tm)"
software and will display a version number. Other Cisco devices either
will not have the command show version, or will give different output.
Compare the version number obtained from the router with the versions
presented in the Software Versions and Fixes section below.

Cisco devices that may be running with affected IOS software releases
include:

  * Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000,
    1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500,
    4700, AS5200, AS5300, AS5800, 6400, 7000, 7200, ubr7200, 7500, and
    12000 series.
  * Most recent versions of the LS1010 ATM switch.
  * The Catalyst 6000.
  * The Catalyst 2900XL LAN switch.
  * The Catalyst 1900, 2800, 2900, 3000, and 5000 series LAN switches are
    affected.
  * The Cisco DistributedDirector.

If you are not running Cisco IOS software, you are not affected by this
vulnerability.

Cisco products that do not run Cisco IOS software and are not affected by
this defect include, but are not limited to:

  * 700 series dialup routers (750, 760, and 770 series) are not
    affected.
  * WAN switching products in the IGX and BPX lines are not affected.
  * The MGX (formerly known as the AXIS shelf) is not affected.
  * No host-based software is affected.
  * The Cisco PIX Firewall is not affected.
  * The Cisco LocalDirector is not affected.
  * The Cisco Cache Engine is not affected.

Details
=======

ARP packets, both request and reply, received by the router for the
router's own interface address or global Network Address Translation
(NAT) entries, but a different MAC address will overwrite the router's
MAC address in the router's ARP table with the one in the ARP request or
reply. Cisco IOS router devices will defend the MAC address of an
interface for several attempts, but in an attempt to prevent an ARP
storm, the device will accept the incorrect information into the ARP
table, which causes the interface to stop accepting new ARP entries, and
entries will not be accepted or updated in the ARP table. This behavior
has been repaired to properly defend the interface MAC address, with rate
limiting the response to avoid an ARP storm on the local network. This
attack can only be carried out from the local network. This defect is
documented in Cisco Bug ID CSCdu81936 and is repaired in future versions
of Cisco IOS code. This defect is duplicated by the following Cisco Bug
ID's: CSCdv83509, CSCdv63206, CSCdv77242, CSCdv77220, CSCdu85209.
Additionally, a configuration workaround is available.

Impact
======

This issue can cause a Cisco Router to be vulnerable to a
Denial-of-Service attack, once the ARP table entries time out. This
defect does not result in a failure of confidentiality of information
stored on the unit, nor does this defect allow hostile code to be loaded
onto a Cisco device. This defect may cause a denial of service on the
management functions of a Cisco Switch, but does not affect traffic
through the device.

Software Versions and Fixes
===========================

+===================================================================+
| Major | Description or | Availability of Repaired Releases* |
| Release | Platform | |
|-----------------------------+-------------------------------------|
| Affected Earlier Releases | Rebuild | Interim | Maintenance |
| | | ** | |
+=============================+=====================================+
| 11.1 and | | |
| earlier, | Numerous | Upgrade to repaired release or use |
| all | | workaround |
| variants | | |
+=============================+=====================================+
| 11.2-based Releases | Rebuild | Interim | Maintenance |
| | | ** | |
+=============================+=====================================+
| | Major release | |
| 11.2 | for all | Not affected after 11.2(13) |
| | platforms | |
|----------+------------------+-------------------------------------|
| 11.2P | New platform | Not affected after 11.2(12)P |
| | support | |
+=============================+=====================================+
| 11.3-based Releases | Rebuild | Interim | Maintenance |
| | | ** | |
+=============================+=====================================+
| | Major release | |
| 11.3 | for all | Not affected after 11.3(3) |
| | platforms | |
|----------+------------------+-------------------------------------|
| | Early deployment | |
| 11.3T | major release, | Not affected after 11.3(3)T |
| | feature-rich for | |
| | early adopters | |
+=============================+=====================================+
| 12.0-based Releases | Rebuild | Interim | Maintenance |
| | | ** | |
+=============================+=====================================+
| | General | | | |
| 12.0 | Deployment (GD) | | 12.0 | 12.0(20) |
| | candidate: all | | (19.6) | |
| | platforms | | | |
|----------+------------------+-------------------------------------|
| | xDSL support: | Unavailable |
|12.0DA |6100, 6200 |-------------------------------------|
| | | Upgrade recommended to 12.2DA |
|----------+------------------+-------------------------------------|
| | Early deployment | Unavailable |
|12.0DB |release for 6400 |-------------------------------------|
| | NSP | Upgrade recommended to 12.1T or |
| | | later |
|----------+------------------+-------------------------------------|
| | Early deployment | Unavailable |
|12.0DC |release for 6400 |-------------------------------------|
| | NRP | Upgrade recommended to 12.2(2)B |
| | | when available |
|----------+------------------+-------------------------------------|
| | Core/ISP | | | 12.0(21)S |
| 12.0S | support: GSR, | | | 2002-Jan-14 |
| | RSP, c7200 | | | |
|----------+------------------+-------------------------------------|
| | | Unavailable |
|12.0SC |Cable/broadband |-------------------------------------|
| | ISP: ubr7200 | Upgrade recommended to 12.1EC, or |
| | | use workaround |
|----------+------------------+-------------------------------------|
| | | Unavailable |
|12.0SL |10000 ESR: c10k |-------------------------------------|
| | | Upgrade recommended to 12.0ST, or |
| | | use workaround |
|----------+------------------+-------------------------------------|
| 12.0SP | c10720 | | | 12.0(20)SP |
|----------+------------------+-------------+---------+-------------|
| | MPLS/Tag | | | |
| 12.0ST | Switching, GSR | | | 12.0(20)ST |
| | 12000, 7200, | | | 2001-Nov-26 |
| | 7500 | | | |
|----------+------------------+-------------------------------------|
| | Early Deployment | |
| | (ED): VPN, | Unavailable |
| | Distributed | |
|12.0T |Director, |-------------------------------------|
| | various | |
| | platforms | Upgrade recommended to 12.1(11) |
| | | |
|----------+------------------+-------------------------------------|
| | Catalyst | | | |
| | switches: | | | 12.0(20)W5 |
| | cat8510c, | | | (24) |
| | cat8540c, | | | |
| |ls1010, | | |-------------|
| | cat8510m, | | | |
| | cat8540m, | | | 2002-Jan-07 |
| | cat5atm | | | |
|12.0W5 |------------------+-------------+---------+-------------|
| | Catalyst | | | 12.0(18)W5 |
| | switches: | | | (22a) |
| |cat2948g-L3, | | |-------------|
| | cat4232 | | | 2001-Dec-1 |
| |------------------+-------------+---------+-------------|
| | | | | 12.0(16)W5 |
| | Catalyst | | | (21b) |
| |switches: c6msm | | |-------------|
| | | | | 2001-Nov-29 |
|----------+------------------+-------------+---------+-------------|
| 12.0WC | Catalyst 2900xl | 12.0(5)WC3 | | |
| | | 2002-Jan | | |
|----------+------------------+-------------------------------------|
| | Catalyst | |
| 12.0WT | switches: | Not affected |
| | cat4840g | |
|----------+------------------+-------------------------------------|
| | Early Deployment | Unavailable |
|12.0XA |(ED): limited |-------------------------------------|
| | platforms | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | Short-lived | Unavailable |
|12.0XB |early deployment |-------------------------------------|
| | release | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | Early Deployment | Unavailable |
|12.0XC |(ED): limited |-------------------------------------|
| | platforms | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | Early Deployment | Unavailable |
|12.0XD |(ED): limited |-------------------------------------|
| | platforms | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | Early Deployment | Unavailable |
|12.0XE |(ED): limited |-------------------------------------|
| | platforms | Upgrade recommended to 12.1(11)E, |
| | | available 2001-Dec-10 |
|----------+------------------+-------------------------------------|
| | Early Deployment | Unavailable |
|12.0XF |(ED): limited |-------------------------------------|
| | platforms | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | Early Deployment | Unavailable |
|12.0XG |(ED): limited |-------------------------------------|
| | platforms | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | Early Deployment | Unavailable |
|12.0XH |(ED): limited |-------------------------------------|
| | platforms | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | Early Deployment | Unavailable |
|12.0XI |(ED): limited |-------------------------------------|
| | platforms | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | Early Deployment | Unavailable |
|12.0XJ |(ED): limited |-------------------------------------|
| | platforms | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.0XK | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.0XL | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | | |
| | Short-lived | Unavailable |
| 12.0XM | early deployment | |
| |release |-------------------------------------|
| | | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.0XN | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.0XP | (ED): limited | |
| |platforms |-------------------------------------|
| | | Workaround recommended |
|----------+------------------+-------------------------------------|
| | | |
| | Short-lived | Unavailable |
| 12.0XQ | early deployment | |
| |release |-------------------------------------|
| | | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | | |
| | Short-lived | Unavailable |
| 12.0XR | early deployment | |
| |release |-------------------------------------|
| | | Upgrade recommended to 12.1(11) |
|----------+------------------+-------------------------------------|
| | | |
| | Short-lived | Unavailable |
| 12.0XS | early deployment | |
| |release |-------------------------------------|
| | | Upgrade recommended to 12.1(11)E, |
| | | available 2001-DEC-10 |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.0XU | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended or use |
| | | workaround |
|----------+------------------+-------------------------------------|
| | | |
| | Short-lived | Unavailable |
| 12.0XV | early deployment | |
| |release |-------------------------------------|
| | | Upgrade recommended to 12.2 |
+=============================+=====================================+
| 12.1-based Releases | Rebuild | Interim | Maintenance |
| | | ** | |
+=============================+=====================================+
| | General | | | |
| 12.1 | Deployment (GD) | | 12.1 | 12.1(11) |
| | candidate: all | | (10.3) | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| 12.1AA | Dial Support | | | 12.1(10)AA |
| | | | | 2001-Nov-12 |
|----------+------------------+-------------------------------------|
| | | Unavailable |
| 12.1DA | xDSL Support: | |
| |6100, 6200 |-------------------------------------|
| | | Upgrade recommended to 12.2.T |
|----------+------------------+-------------------------------------|
| | Cisco 6400 | Upgrade recommended to 12.2(2)B |
| 12.1DB | Universal Access | when available |
| | Concentrator | |
|----------+------------------+-------------------------------------|
| 12.1DC | xDSL NRP | Upgrade recommended to 12.2(2)B |
| | support: c6400r | when available |
|----------+------------------+-------------------------------------|
| | Core/ISP | | | 12.1(11)E |
| 12.1E | Support: GSR, | | | 2001-DEC-10 |
| | RSP, c7200 | | | |
|----------+------------------+-------------+---------+-------------|
| | Catalyst 2950 | 12.1(6)EA2 | | |
| | | 2001-Dec | | |
|12.1EA |------------------+-------------+---------+-------------|
| | | 12.1(6) | | |
| | Catalyst 3550 | EA1a | | |
| | | 2001-DEC | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | | | |
| 12.1EC | (ED): ubr7200, | | 12.1 | 12.1(9)EC |
| | UBR Headend | | (8.5)EC | |
| | platforms | | | |
|----------+------------------+-------------------------------------|
| | | Unavailable |
|12.1EX |Catalyst 6000 |-------------------------------------|
| | | Upgrade recommended to 12.1(11)E |
|----------+------------------+-------------------------------------|
| 12.1EY | Catalyst 8510, | Not Affected |
| | 8540, LS1010 | |
|----------+------------------+-------------------------------------|
| | Early Deployment | 12.1(6)EZ4 | | |
| 12.1EZ | (ED): limited | 2001-Nov-02 | | |
| | platforms | | | |
|----------+------------------+-------------------------------------|
| | | |
| | New technology | Unavailable |
| 12.1T | Early Deployment | |
| | (ED): all | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2 |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XA | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2 |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XB | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2 |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XC | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2 |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XD | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2 |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XE | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2 |
|----------+------------------+-------------------------------------|
| | Early Deployment | 12.1(2)XF5 | | |
| 12.1XF | (ED): limited | 2002-Jan | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.1(3)XG6 | | |
| 12.1XG | (ED): limited | 2002-Jan | | |
| | platforms | | | |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XH | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2 |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XI | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2 |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XJ | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2 |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XK | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2 |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XL | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2 |
|----------+------------------+-------------------------------------|
| | Early Deployment | 12.1(5)XM6 | | |
| 12.1XM | (ED): limited | 2001-Dec-03 | | |
| | platforms | | | |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XP | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2(2)T |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XQ | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2(2)T |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XR | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2(7)T |
|----------+------------------+-------------------------------------|
| | Early Deployment | 12.2(2)XC1 | | |
| 12.1XS | (ED): limited | 2001-DEC-3 | | |
| | platforms | | | |
|----------+------------------+-------------------------------------|
| | | |
| | Early Deployment | Unavailable |
| 12.1XT | (ED): limited | |
| |platforms |-------------------------------------|
| | | Upgrade recommended to 12.2(7)T |
|----------+------------------+-------------------------------------|
| | Early Deployment | |
| 12.1XU | (ED): limited | Not affected |
| | platforms | |
|----------+------------------+-------------------------------------|
| | Early Deployment | 12.2(2)XB2 | | |
| 12.1XV | (ED): limited | 2001-DEC-17 | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | | | |
| 12.1XW | (ED): limited | | | 12.1(11) |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | | | |
| 12.1XX | (ED): limited | | | 12.1(11) |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | | | |
| 12.1YA | (ED): limited | | | 12.2(2)XB |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.1(5)YB5 | | |
| 12.1YB | (ED): limited | 2002-Jan | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.1(5)YC2 | | |
| 12.1YC | (ED): limited | 2002-Jan | | |
| | platforms | | | |
|----------+------------------+-------------------------------------|
| | Early Deployment | |
| 12.1YD | (ED): limited | Migrate to 12.2(7)T |
| | platforms | |
|----------+------------------+-------------------------------------|
| | Early Deployment | 12.1(5)YE4 | | |
| 12.1YE | (ED): limited | 2001-Nov-19 | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.1(5)YF3 | | |
| 12.1YF | (ED): limited | 2001-Nov | | |
| | platforms | | | |
|----------+------------------+-------------------------------------|
| | Early Deployment | |
| 12.1YH | (ED): limited | Not Affected |
| | platforms | |
+=============================+=====================================+
| Affected 12.2-based | Rebuild | Interim | Maintenance |
| Releases | | ** | |
+=============================+=====================================+
| | General | | | |
| 12.2 | Deployment (GD) | | 12.2 | 12.2(5) |
| | candidate: all | | (4.2) | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| 12.2DD | 7200, 7400 | 12.2(2)DD1 | | |
| | | 2001-Nov-19 | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | | | 12.2(7)T |
| 12.2T | (ED): limited | | | 2002-Feb |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.2(2)XA4 | | |
| 12.2XA | (ED): limited | 2001-Dec-3 | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.2(2)XB2 | | |
| 12.2XB | (ED): limited | 2001-Dec-17 | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.2(2)XC1 | | |
| 12.2XC | (ED): limited | 2001-DEC-3 | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.2(1)XD3 | | |
| 12.2XD | (ED): limited | 2002-Jan | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.2(1)XE2 | | |
| 12.2XE | (ED): limited | 2002-Jan | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.2(2)XG1 | | |
| 12.2XG | (ED): limited | 2001-DEC-17 | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.2(2)XH2 | | |
| 12.2XH | (ED): limited | 2002-Jan | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.2(2)XI1 | | |
| 12.2XI | (ED): limited | 2002-Jan | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.2(2)XJ2 | | |
| 12.2XJ | (ED): limited | 2002-Jan | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.2(2)XK5 | | |
| 12.2XK | (ED): limited | 2002-Jan | | |
| | platforms | | | |
|----------+------------------+-------------+---------+-------------|
| | Early Deployment | 12.2(2)XQ2 | | |
| 12.2XQ | (ED): limited | 2002-Jan | | |
| | platforms | | | |
+===================================================================+
| Notes |
+===================================================================+
| * All dates are estimated and subject to change. |
| |
| ** Interim releases are subjected to less rigorous testing than |
| regular maintenance releases, and may have serious bugs. |
| |
| *** This release does not have a rebuild solution. Customers |
| should upgrade to 12.2T when it becomes available. This is not a |
| misprint. |
+===================================================================+

Obtaining Fixed Software
========================

Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers. Customers with service contracts may upgrade
to any software version. Customers without contracts may upgrade only
within a single row of the table above, except that any available fixed
software will be provided to any customer who can use it and for whom the
standard fixed software is not yet available. As always, customers
may install only the feature sets they have purchased.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's Worldwide Web
site at http://www.cisco.com. Customers whose Cisco products are provided
or maintained through prior or existing agreement with third-party
support organizations such as Cisco Partners, authorized resellers, or
service providers should contact that support organization for assistance
with the upgrade, which should be free of charge.

Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:

  * +1 800 553 2447 (toll-free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@cisco.com

Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested
through the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

Workarounds
===========

The workaround for this vulnerability is to enter the router interface
MAC address into the arp table with an configuration entry, sometimes
known as "hard coding" the ARP table entry.

The syntax for this command for routers and switches running IOS is as
follows:

    arp <ip-address> <hardware-address> <type>

The syntax for this command for switches running CatOS is as follows:

    set arp [dynamic|permanent|static] <ip_address> <hardware_address>

The caveat to this workaround is identified with defect CSCdv04366, which
will clear all manually entered MAC addresses from the ARP table, when
they are the same as the interface MAC address, when the command "clear
arp" is issued on the router. This workaround does not survive a reboot
of the router, and must be re-written to the configuration after any
reload or reboot.

Exploitation and Public Announcements
=====================================

This vulnerability was disclosed at the Black Hat conferences in Las
Vegas this year by Kevin DePeugh <v0nelm0@best.com> and Jeff Nathan
<jeff@wwti.com>. There have been isolated reports of exploitation of
this vulnerability, and workarounds implemented circumvented the
attacks. This attack is known as the "Sonic Boom", and tools are readily
available.

Status of This Notice: FINAL
============================

This is a final notice. Although Cisco cannot guarantee the accuracy of
all statements in this notice, all of the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions
of this notice unless there is some material change in the facts. Should
there be a significant change in the facts, Cisco may update this notice.

A standalone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain factual
errors.

Distribution
============

This notice will be posted on Cisco's Worldwide Web site at http://
www.cisco.com/warp/public/707/IOS-arp-overwrite-vuln-pub.shtml. In
addition to Worldwide Web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients:

  * cust-security-announce@cisco.com
  * bugtraq@securityfocus.com
  * first-teams@first.org (includes CERT/CC)
  * cisco@spot.colorado.edu
  * comp.dcom.sys.cisco
  * firewalls@lists.gnac.com
  * Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's
Worldwide Web server, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged to
check the URL given above for any updates.

Revision History
================

                                                                         
+-----------------------------------------------------------------------+
|Revision|15-November-2001 | For public release 15-NOV-2001 08:00 AM US/|
|1.0 | |Pacific (UTC-0700) |
+-----------------------------------------------------------------------+

 

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
Worldwide Web site at http://www.cisco.com/warp/public/707/
sec_incident_response.shtml. This includes instructions for press
inquiries regarding Cisco security notices. All Cisco Security Advisories
are available at http://www.cisco.com/go/psirt.
- -------------------------------------------------------------------------

This notice is Copyright 2001 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, and
include all date and version information.
- -------------------------------------------------------------------------

All contents are Copyright © 1992--2001 Cisco Systems Inc. All rights
reserved. Important Notices and Privacy Statement.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQEVAwUBO/P63g/VLJ+budTTAQGeFAf/b3We4VLixOftM/r0Ao/+En+hcdfI6yEO
Pzceanq3tXooBYulGhGpBNXRCmPYzEzqsC4t3Ph5v9U8Pr8PZckQKroduSjsLlWg
2LFspKO8kCzQoA1+VLoN5dcrCaj32QdYxPM/WtigKDyydQGK+3fiCmKiGYt6XPGT
NCJxxy6NccDCC4B42F01AMWhuoSz7GbcFG8cdzZXyja5KQE+tVFUx6nWeKOD2eYU
t6Hsw6FnGQrKZyJM1XUsYO3bddFh615irOVOHfjRq9rKNnucOtG0WRLlwXy5Qskv
pDbpQh5Nab7jBTJhT6NbQh+P5bR5upvgR5bj0LFSIYtHhnOPqL3CTA==
=89e1
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:23 EDT