CERT-In Advisory CIAD-2008-18
Multiple vulnerabilities in Cisco IOS

Original issue date: April 04, 2008

Severity Rating: High

Systems Affected

Cisco devices that are running

•  Cisco IOS prior to 12.3 with Virtual Private Dial-up Network (VPDN)
•  DLSw features
•  RSVP service with IPv4/IPv6 Dual-stack Routers
•  Cisco IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch Processor 720
•  Cisco IOS Multicast Virtual Private Network (MVPN)

Overview

Multiple vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, manipulate certain data, or to cause a DoS (Denial of Service).

Description

Following vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, manipulate certain data, or to cause a DoS (Denial of Service).

1. IOS Virtual Private Dial-up Network Denial of Service Vulnerability (CVE-2008-1150,CVE-2008-1151)

A memory leak exists in the handling of completed PPTP sessions, which can be exploited to exhaust memory on an affected system.

An error exists in the handling of PPTP sessions when virtual access interfaces are not removed from the interface descriptor block (IDB) and are not reused. This can result in an exhaustion of the interface descriptor block (IDB) limit.
Vulnerabilities #a and #b are reported in Cisco IOS versions prior to 12.3 with VPDN enabled. Continued exploitation of vulnerability results in DoS state.

2. Multiple DLSw Denial of Service Vulnerabilities in
Cisco IOS(CVE-2008-1152)

Memory Management Errors exist in the Data-Link-Switching (DLSw) feature when processing specially crafted UDP and IP protocol 91 packets. This can be exploited to cause a reload of the system or a memory leak.

3. Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6 Dual-stack Routers (CVE-2008-1153)

Resource management error exists in the processing of IPv6 packets, which can be exploited to prevent the interface from receiving additional traffic or to cause the device to crash (if RSVP service is configured on the interface) by sending a specially crafted IPv6 packet to the device.

Successful exploitation of this vulnerability requires that IPv6 and certain IPv4 UDP services are enabled.Successful exploitation of this vulnerability requires that IPv6 and certain IPv4 UDP services are enabled.

4. Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch Processor 720
(CVE-2008-0537)

Vulnerable Cisco devices, when configured for Multi Protocol Label Switching (MPLS) Virtual Private Networking (VPN) and Open Shortest Path First (OSPF) sham-link, can suffer from a blocked queue, memory leak, and/or restart of the device.

5. Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak(CVE-2008-1156)

An error exists in the implementation of Multicast Virtual Private Networks (MVPN), which can be exploited to create extra multicast states on the core routers via specially crafted Multicast Distribution Tree (MDT) Data Join messages. This can also be exploited to receive multicast traffic from VPNs that are not connected to the same Provider Edge (PE).

Successful exploitation of the multicast traffic leak requires that the attacker knows or guesses the Border Gateway Protocol (BGP) peering IP address of a remote PE router and the address of the multicast group that is used in other MPLS VPNs.

Workarounds
Users are advised to follow the guidelines suggested by vendor at the following corresponding Advisories

• Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability
  http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
• Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
  http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
• Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6 Dual-stack Routers
  http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
• Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch Processor 720
  http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
• Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
  http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml
  

Solution

Deploy fixed versions of software. For details refer to CISCO Advisory at
http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml

Vendor Information

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml

References

US-CERT
http://www.kb.cert.org/vuls/id/936177

Secunia
http://secunia.com/advisories/29507/

AusCERT
http://www.auscert.org.au/render.html?it=9018
http://www.auscert.org.au/render.html?it=9019

CIAC
http://www.ciac.org/ciac/bulletins/s-243.shtml

SecurityLab
http://en.securitylab.ru/nvd/349219.php

SecurityFocus
http://www.securityfocus.com/bid/28460

CVE-Name
CVE-2008-1150
CVE-2008-1151
CVE-2008-1152
CVE-2008-1153
CVE-2008-0537
CVE-2008-1156

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003