Wednesday, March 28, 2018

Cisco IOS XE Software Switch Integrated Security Features IPv6 Denial of Service Vulnerability

This vulnerability affects the Cisco cBR-8 Converged Broadband Router, Cisco ASR 1000 Series Aggregation Services Routers, and Cisco Cloud Services Router 1000V Series when configured with IPv6.

In the field and internal testing, this vulnerability was only observed or reproduced on the Cisco cBR-8 Converged Broadband Router. The Cisco ASR 1000 Series Aggregation Services Routers and Cisco Cloud Services Router 1000V Series contain the same code logic, so affected trains have had the code fix applied; however, on these two products, the vulnerability has not been observed in the field or successfully reproduced internally.

For information about which Cisco IOS XE Software releases are vulnerable, consult the Cisco bug ID(s) at the top of this advisory.

Assessing the IPv6 Configuration

Administrators can identify interfaces that have assigned IPv6 addresses by using the show ipv6 interface brief command in the CLI. The following example shows the output of the command on a device with IPv6 enabled:

router#show ipv6 interface brief
.
.
.
GigabitEthernet0/0/0 [Up/Up]
 fe80::212:daff:fe62:c150
 2001:DB8::1 

If IPv6 is not supported by the software release that is running on a device, using the show ipv6 interface brief command produces an error message. If IPv6 is not enabled on the device, using the show ipv6 interface brief command does not show any interfaces with IPv6 addresses. In either scenario, the device is not affected by this vulnerability.

Determining the Cisco IOS XE Software Release

To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text.

The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M:

ios-xe-device# show version

Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.

For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

No other Cisco products are currently known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software.



from Cisco Security Advisory https://ift.tt/2pOenLB

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.