Wednesday, March 28, 2018

Cisco IOS and IOS XE Software DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability

This vulnerability affects Cisco devices that meet all the following criteria:

  • The device is running a vulnerable release of Cisco IOS Software or Cisco IOS XE Software. For information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory.
  • An interface of the device is configured as a DHCP relay agent.
  • The device or an interface of the device is configured to insert DHCP relay agent information (option 82 information) into DHCP packets.
  • The device or an interface of the device is configured to encapsulate option 82 information that it receives from other DHCP relay agents.

Assessing the DHCP Relay Agent Configuration

To determine whether any interfaces of a device are configured as a DHCP relay agent, administrators can log in to the device and use the show running-config | include ip helper-address command in the CLI. If the device is a Cisco cBR-8 Converged Broadband Router, administrators should instead use the show running-config | include cable helper-address command in the CLI.

If the command returns output, at least one interface of the device is configured as a DHCP relay agent.

The following example shows the output of the show running-config | include ip helper-address command for a device that is running Cisco IOS Software and has an interface that is configured to act as a DHCP relay agent and forward DHCP packets to the DHCP server address 10.10.10.1:

Router# show running-config | include ip helper-address

ip helper-address  10.10.10.1
Router#

If the show running-config | include ip helper-address command, or the show running-config | include cable helper-address command on a Cisco cBR-8 Router, does not return any output, none of the interfaces of the device are configured as a DHCP relay agent.

Assessing Support for Option 82 Insertion

To determine whether a device or an interface of a device is configured to insert option 82 information into DHCP packets, administrators can log in to the device and use the show running-config | include ip dhcp relay information option command in the CLI.

If the command output contains any of the following, the device is configured to insert option 82 information into DHCP packets:

  • ip dhcp relay information option-insert—Interface configuration, appears under the interface that is configured as a DHCP relay agent
  • ip dhcp relay information option server-id-override—Interface configuration, appears under the interface that is configured as a DHCP relay agent
  • ip dhcp relay information option—Global configuration

The following example shows the output of the show running-config | include ip dhcp relay information option command for a device that is running Cisco IOS Software and has an interface that is configured to both act as a DHCP relay agent and insert option 82 information into DHCP packets:

Router# show running-config | include ip dhcp relay information option
  
ip dhcp relay information option-insert
Router#

If the show running-config | include ip dhcp relay information option command does not return any output, neither the device nor any interfaces of the device are configured to insert option 82 information into DHCP packets.

Assessing Support for Option 82 Encapsulation

To determine whether a device or an interface of a device is configured to encapsulate DHCP option 82 information that it receives from other DHCP relay agents, administrators can log in to the device and use the show running-config | include ip dhcp relay information policy.* encapsulate command in the CLI.

If the command output contains either of the following, the device is configured to encapsulate option 82 information that it receives:

  • ip dhcp relay information policy-action encapsulate—Interface configuration, appears under the interface that is configured as a DHCP relay agent
  • ip dhcp relay information policy encapsulate—Global configuration

The following example shows the output of the command for a device that is running Cisco IOS Software and is configured to both act as a DHCP relay agent and encapsulate option 82 information that it receives from other DHCP relay agents:

Router# show running-config | include ip dhcp relay information policy.* encapsulate
  
ip dhcp relay information policy encapsulate
Router#

If the show running-config | include ip dhcp relay information policy.* encapsulate command does not return any output, neither the device nor any interfaces of the device are configured to encapsulate option 82 information.

Determining the Cisco IOS Software Release

To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.

The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M:

Router> show version

Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
.
.
.

For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

Determining the Cisco IOS XE Software Release

To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text.

The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M:

ios-xe-device# show version

Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.

For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

No other Cisco products are currently known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco IOS XR Software or Cisco NX-OS Software.



from Cisco Security Advisory https://ift.tt/2pNZN5Z
Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)