[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Cisco IOS Remote Router Crash

Title: Cisco IOS Remote Router Crash
Released by: CISCO
Date: 13th August 1998
Printable version: Click here

Field Notice:

Cisco IOS Remote Router Crash


Revision 1.2

For release 08:00 AM US/Pacific, Wednesday, August 12, 1998

Cisco internal use only until release date



An error in Cisco IOS software makes it possible for untrusted,

unauthenticated users who can gain access to the login prompt of a router or

other Cisco IOS device, via any means, to cause that device to crash and


This applies only to devices running classic Cisco IOS software. This

includes most Cisco routers with model numbers greater than or equal to

1000, but does not include the 7xx series, the Catalyst LAN switches, WAN

switching products in the IGX or BPX lines, the AXIS shelf, early models of

the LS1010 or LS2020 ATM switches, or any host-based software.

Who Is Affected


All users of classic Cisco IOS software versions 9.1 and later, but earlier

than the repaired versions listed in the "Details" section of this notice,

whose devices can be connected to interactively by untrusted users, are

affected by this vulnerability. It is not necessary to be able to actually

log in to exploit this vulnerability; simply establishing a terminal

connection is sufficient.

Note that some of the repaired software has been in the field for some time;

you may already have installed it. Please check your software version number

before assuming that you are affected.

The vulnerability can be exploited using direct console or asynchronous

serial connections (including dialup connections), TELNET connections, UNIX

"r" command connections, LAT connections, MOP connections, X.29 connections,

V.120 connections, and possibly others. Except in extraordinary security

environments, administrators are strongly encouraged to assume that hostile

users can find ways to make interactive connections to their Cisco IOS


If you are not running classic Cisco IOS software, then you are not affected

by this vulnerability. If you are unsure whether your device is running

classic Cisco IOS software, log into the device and issue the command show

version. Classic Cisco IOS software will identify itself simply as "IOS" or

"Internetwork Operating System Software", and affected software will have a

version number greater than or equal to 9.1. Other Cisco devices either will

not have the show version command, or will give different output.



If attackers know the details of the Cisco IOS software error they will be

able to cause the router to crash and reload without having to log in to the

router. Because this problem involves damage to an internal data struture,

it is possible that other, more subtle or targeted effects on system

operation could also be induced by proper exploitation. Such exploitation,

if it is possible at all, would require significant engineering skill and a

thorough knowledge of the internal operation of Cisco IOS software,

including Cisco trade secret information.



The Cisco IOS software error has been assigned Cisco bug ID CSCdj43337.

Affected and Repaired Software Versions

- - -------------------------------------

This vulnerability affects all releases of Classic Cisco IOS software from

9.1 up to, but not including, the following corrected releases (including

interim and beta software):

   * 11.3(1),  11.3(1)ED, 11.3(1)T

   * 11.2(10), 11.2(9)P, 11.2(9)XA, 11.2(10)BC

   * 11.1(15)CA, 11.1(16), 11.1(16)IA, 11.1(16)AA, 11.1(17)CC, 11.1(17)CT

   * 11.0(20.3)

Releases of Cisco IOS software up to and including 10.3 have reached end of

support, and no fixes are currently or planned to be available for those

releases. All releases after 9.1 do, however, contain the problem.

All planned fixes to Cisco IOS software have been completed and tested.

Integration into regular released software is complete for all versions

except 11.0. If you are running a version of software earlier than the ones

listed above, please contact the Cisco TAC for assistance.

As of the date of this notice, the fix for this problem is available for the

11.0 release only in the 11.0(20.3) version. This  is an interim release,

and has not been subjected to the same degree of testing as a regular

IOS release. The first regular 11.0 release containing the fix will be

11.0(21). Release of 11.0(21) is tentatively scheduled for mid-September,

1998; this schedule is subject to change. Because of the relative maturity

of the 11.0 Cisco IOS software, Cisco believes that installation of

11.0(20.3) carries less risk than would installation of an interim release

for a newer Cisco IOS version, but customers are advised to use caution in

installing 11.0(20.3), or any other interim release, in any critical device.

Cisco is offering free software upgrades to all vulnerable customers,

regardless of contract status. Customers with service contracts may upgrade

to any Cisco IOS software version. Customers without contracts may upgrade

to the latest versions of the images that they are already running (for

example, from 11.2(2) to 11.2(11), but not from 11.2(2) to 11.3(3)).

Customers without contracts who are running 10.3 or older software will

receive free upgrades to fixed 11.0 versions, but should be careful to make

sure that their hardware can support the new software before upgrading.

Customers with contracts should obtain upgraded software through their

regular update channels (generally via Cisco's Worldwide Web site).

Customers without contracts should contact the Cisco TAC as explained in the

"Cisco Security Procedures" section of this document, and should refer to

the URL of this document as evidence of their entitlement.

As with any software upgrade, you should check to make sure that your

hardware can support the new software before upgrading.  The most common

problem is inadequate RAM. Assistance is available on Cisco's Worldwide Web

site at http://www.cisco.com.


- - ---------

It is possible to work around this problem by preventing interactive access

to the Cisco IOS device. If only IP-based interactive access is of concern,

this can be done by using the ip access-class line configuration to apply an

access list to all virtual terminals in the system. However, it is important

to remember that non-IP-based means of making interactive connections to

Cisco IOS devices do exist, and to eliminate those means as possible routes

of attack. Interactive access can be prevented completely by applying the

configuration command no exec to any asynchronous line, or the command

transport input none to any virtual terminal line, that may be accessible to

untrusted users.

Exploitation and Public Announcements


Cisco has had no actual reports of malicious exploitation of this

vulnerability.  However, there have been sporadic reports of unexplained

crashes that have been consistent with the crashes caused by this

vulnerability; the vulnerability was initially identified because of such a

report. It is possible that the reported crashes could have been caused by

random events, but it is also possible that they could have been deliberate.

Cisco has essentially no information that would be useful in determining

which is the case.  None of the customers reporting the crashes indicated

any suspicion of a deliberate attack.

Cisco knows of no public announcements of this vulnerability before the date

of this notice.

Status of This Notice


This is a final field notice. Although Cisco cannot guarantee the accuracy

of all statements in this notice, all the facts have been checked to the

best of our ability. Cisco does not anticipate issuing updated versions of

this notice unless there is some material change in the facts. Should there

be a significant change in the facts, Cisco may update this notice.


- - ----------

This notice will be posted on Cisco's Worldwide Web site at

http://www.cisco.com/warp/public/770/ioslogin-pub.html. In addition to

Worldwide Web posting, the initial version of this notice is being sent to

the following e-mail and Usenet news recipients:

   * cust-security-announce@cisco.com

   * bugtraq@netspace.org

   * first-teams@first.org (includes CERT/CC)

   * cisco@spot.colorado.edu

   * comp.dcom.sys.cisco

   * first-info@first.org

   * Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's Worldwide

Web server, but may or may not be actively announced on mailing lists or

newsgroups. Users concerned about this problem are encouraged to check the

URL given above for any updates.

Revision History

- - --------------

 Revision 1.2, 9:00   Initial released version

 AM US/Pacific,


Cisco Security Procedures


Please report security issues with Cisco products, and/or sensitive security

intrusion emergencies involving Cisco products, to security-alert@cisco.com.

Reports may be encrypted using PGP; public RSA and DSS keys for

"security-alert@cisco.com" are on the public PGP keyservers.

The alias "security-alert@cisco.com" is used only for reports incoming to

Cisco. Mail sent to the list goes only to a very small group of users within

Cisco. Neither outside users nor unauthorized Cisco employees may subscribe

to "security-alert@cisco.com".

Please do not use "security-alert@cisco.com" for configuration questions,

for security intrusions that you do not consider to be sensitive

emergencies, or for general, non-security-related support requests. We do

not have the capacity to handle such requests through this channel, and will

refer them to the TAC, delaying response to your questions. We advise

contacting the TAC directly with these requests. TAC contact numbers are as


   * +1 800 553 2447 (toll-free from within North America)

   * +1 408 526 7209 (toll call from anywhere in the world)

   * e-mail: tac@cisco.com

All formal public security notices generated by Cisco are sent to the public

mailing list "cust-security-announce@cisco.com". For information on

subscribing to this mailing list, send a message containing the single line

"info cust-security-announce" to "majordomo@cisco.com". An analogous list,

"cust-security-discuss@cisco.com" is available for public discussion of the

notices and of other Cisco security issues.


This notice is copyright 1998 by Cisco Systems, Inc. This notice may be

redistributed freely after the release date given at the top of the notice,

provided that redistributed copies are complete and unmodified, including

all date and version information.


Version: PGP for Personal Privacy 5.0

Charset: noconv








- -----END PGP SIGNATURE----- 

(C) 1999-2000 All rights reserved.