Cisco Patches IPv6 Vulnerability in Carrier-Grade Router System

Cisco patched a denial of service vulnerability in its IOS XR software used in carrier-grade routers.

Cisco said on Thursday it has patched a denial of service vulnerability in its IOS XR software used in carrier-grade routers.

The vulnerability, Cisco said, rests in the IPv6 processing code used by IOS XR in the Cisco CRS-3 Carrier Routing System. The bug is remotely exploitable and is due to incorrect processing of legitimate IPv6 packets carrying valid IPv6 extension headers. Cisco said while the headers are valid, they’re unlikely to be seen in “normal operation.”

“An attacker could exploit this vulnerability by sending such an IPv6 packet to an affected device that is configured to process IPv6 traffic,” Cisco said in its advisory. “An exploit could allow the attacker to cause a reload of the line card, resulting in a DoS condition.”

Cisco said that a software update is available, and added there are no workarounds. The advisory adds that the vulnerability was found internally and Cisco is not aware of public exploits.

The vulnerability affects: Cisco IOS XR Releases 4.0.1, 4.0.2, 4.0.3 and 4.0.4; Cisco IOS XR Releases 4.1.0, 4.1.1 and 4.1.2; Cisco IOS XR Release 4.2.0, and is patched in the following software maintenance updates: hfr-px-4.1.0.CSCtx03546.pie for release 4.1.0; hfr-px-4.1.1.CSCtx03546.pie for release 4.1.1; hfr-px-4.1.2.CSCtx03546.pie for release 4.1.2; hfr-px-4.2.0.CSCtx03546.pie for release 4.2.0.

Cisco said the carriers and other customers already running Cisco IOS XR releases 4.2.1 and later are unaffected since the software already contains the fix.

Cisco urges affected customers to patch immediately since the vulnerability can be repeatedly attacked and cause extended downtime on the device. The bug, Cisco said, can be triggered by IPv6 transit traffic, or traffic sent to the device.

Cisco generally sends IOS patches on a semiannual basis, in March and September. The bulk of the March advisories addressed denial of service vulnerabilities in the networking operating system.

Cisco said the most severe issue according to Cisco involves multiple vulnerabilities in Cisco IOS and IOS XE Autonomic Networking Infrastructure, a feature that is vulnerable to remote attack leading to router or switch crashes or a hacker remotely gaining control of the affected device.

Suggested articles

Discussion

  • Michael Horsch Fizz and the Team on

    Thank you Michael Mimoso for the update. Here is some additional information from our Mark and the VIMRO team on IPV6. IPV6: A Tale of Two Protocols Remember when you installed Windows 7 or 8? Or maybe it was Mac OSX? Well, when you installed one of those, you received an IPV6 stack for free! Indeed, the IPv6 protocol was installed and automatically enabled to prepare you for the next generation of IP protocols. Currently your IPv6 traffic is “tunneled” across an existing IPv4 network because we live in an IPv4-dominated world. This tunneling creates an entry point for many vulnerabilities yet to be discovered, although quite a few have already been discovered. The majority of our network traffic monitoring tools are also based on IPv4 computer networking. Focusing on IPv4 protocols without an equal emphasis on IPv6 traffic puts us at risk in this mixed-IPv6 world. We may only be seeing part of the picture. The truly disquieting aspect of IPv6 is that it is constantly looking for configuration information from network routers. This information is easily falsified and may be used to auto-configure IPv6 stacks. There are also many opportunities to “fuzz” the IPv6 protocol to find weaknesses specific to stack implementation. While IPv6 is not currently accessible outside of the local network, this means that the local network may be vulnerable to attack from within, while IPv4 monitoring tools sit idly by. Further, stack-level compromises do not require services to be enabled on a target machine, exposing a vulnerability at a level below web, ftp, and other network services. Therefore, a machine with no network services whatsoever may become a victim of an IPv6-based attack. So for those networks that don’t need IPv6 – disable it! For those that do, consider securing your IPv6 implementation: • Make sure that IPv6 routing information is authoritative for your IPv6 domain • Make sure that IPv6 naming services are authoritative for your IPv6 domain • Ensure that IPv6 parameters applicable to your stack are configured and not open to auto-configuration • Ensure that firewalls that support IPv6 are configured properly • Keep in mind that IPv6 traffic is often tunneled over IPv4 Many broadband networks (cable providers in particular) today support IPv6. These gateway devices may have filtering rules in their firmware permitting the user to limit and filter IPv6 traffic. Make sure that you have enabled as much of this as possible to protect your internal network. While most security companies tend to focus only on the IPv4 network, essentially missing some vulnerabilities that experienced attackers may use to compromise your network, VIMRO actively examines IPv6 as a component in our network assessments.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.