CERT-In Vulnerability Note CIVN-2008-90
Cisco Intrusion Prevention System Jumbo Frame Denial of Service Vulnerability

Original Issue Date: June 20, 2008

Severity Rating: Medium

System Affected

• Cisco Intrusion Prevention System version 5.x prior to 5.1(8) E2
• Cisco Intrusion Prevention System version 6.x prior to 6.0(5) E2

Overview

A Denial of Service (DoS) vulnerability has been reported in Cisco Intrusion Prevention System ( IPS ) platforms that have gigabit network interfaces installed and are deployed in inline mode while handling jumbo Ethernet frames.

Description

Jumbo frames refer to Ethernet packets of up to 9000 bytes in size and are usually deployed to increase inter-server communication performance. It is not configured by default for Cisco routers and switches. Support for jumbo Ethernet frames must be enabled on each device that requires the feature.

In order to exploit this vulnerability, an attacker must be able to inject jumbo Ethernet frames to a vulnerable Cisco IPS platform that is deployed in inline mode.

By injecting a certain series of jumbo Ethernet frames to a gigabit network interface that is in inline mode, a remote attacker could cause a kernel panic resulting in the complete collapse of the platform and creating a denial of service condition and the device may fail to process network traffic, or it may pass traffic unfiltered into internal networks.

    Note:

• Platforms deployed in promiscuous mode only or that do not contain gigabit network interfaces are not vulnerable.
• The 4250SX and 4250XL models ship with gigabit network interfaces that are normally used for remote administration and monitoring. If the gigabit network interfaces are configured for use with inline mode, the platform is vulnerable.

Workarounds

• Disable jumbo Ethernet support on routers and switches directly those are connected to vulnerable Cisco IPS platforms.
• Restrict access to networks that pass jumbo Ethernet frames.
• Disable the transmission of jumbo Ethernet frames on networks that do not require it.

Solution

Apply appropriate software upgrades as mentioned in CISCO Security Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20080618-ips.shtml

Vendor Information

Cisco
http://www.cisco.com/warp/public/707/cisco-sa-20080618-ips.shtml
http://tools.cisco.com/security/center/viewAlert.x?alertId=16107
http://www.cisco.com/en/US/products/products_security_advisory
09186a00809b3842.shtml

References

SANS
http://isc.sans.org/diary.html?storyid=4591

US- CERT
http://www.us-cert.gov/current/index.html#cisco_releases
_security_advisory2

Secunia
http://secunia.com/advisories/30767/

SecurityTracker
http://www.securitytracker.com/alerts/2008/Jun/1020326.html

ISS
http://xforce.iss.net/xforce/xfdb/43166

AusCERT
http://www.auscert.org.au/render.html?it=9475

CVE Name
CVE-2008-2060

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003