From psirt@cisco.com Tue Apr 12 11:14:36 2005 From: Cisco Systems Product Security Incident Response Team To: full-disclosure@lists.grok.org.uk Cc: psirt@cisco.com Date: Wed, 12 Apr 2005 09:10:44 -0400 Subject: [Full-disclosure] Cisco Security Advisory: Crafted ICMP Messages Can Cause Denial of Service -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Crafted ICMP Messages Can Cause Denial of Service Revision 1.0 For Public Release 2005 April 12 1200 UTC (GMT) +---------------------------------------------------------------------- Contents ======== Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures +---------------------------------------------------------------------- Summary ======= A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt). These attacks, which only affect sessions terminating or originating on a device itself, can be of three types: 1. Attacks that use ICMP "hard" error messages 2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks 3. Attacks that use ICMP "source quench" messages Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type. Multiple Cisco products are affected by the attacks described in this Internet draft. Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en Affected Products ================= Vulnerable Products +------------------ Cisco IOS +-------- Cisco products that run Cisco IOSŪ and that have PMTUD enabled, either by default or because they have been explicitly configured to do PMTUD, are affected. All versions of IOS are impacted. The severity of the exposure depends upon the protocols and applications that rely on specific ICMP messages to perform PMTUD. IOS is not vulnerable to attacks that make use of ICMP "hard" error or "source quench" messages. To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS Software will identify itself as "Internetwork Operating System Software" or simply "IOS." The image name will be displayed between parentheses shortly after this identification (possibly in the next line), followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.2(15)T14 with an installed image name of C806-K9OSY6-M: gw>show version Cisco Internetwork Operating System Software IOS (tm) C806 Software (C806-K9OSY6-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4) [...] The following protocols make use of PMTUD and if enabled in the network may cause IOS devices to be vulnerable to PMTUD attacks. * Transmission Control Protocol over Internet Protocol (IP) Version 4 : if an IOS device establishes TCP sessions with other devices, for example, to speak Border Gateway Protocol (BGP) with other peers, it may be vulnerable to crafted ICMP "fragmentation needed and Don't Fragment (DF) bit set" error messages if PMTUD is enabled. PMTUD is disabled by default for TCP in IOS. PMTUD is enabled if the command ip tcp path-mtu-discovery is present in the device configuration. * Transmission Control Protocol over Internet Protocol Version 6 (IPv6): PMTUD is enabled by default for IPV6; therefore, devices configured for IPv6 are vulnerable to PMTUD attacks if they are running services that rely on TCP, like BGP. If the device is just forwarding IPv6 traffic, i.e., it does not establish TCP sessions with other hosts, then it is not affected. * IP Security (IPSec): when an IOS device is configured to use IPSec, PMTUD is enabled by default, and therefore, the device may be affected by the PMTUD attack described in this document. An IOS device is configured for IPSec if either crypto map or tunnel protection is applied to an interface. For example: crypto ipsec profile IPSEC_PROFILE [...] ! crypto map MYMAP 1 ipsec-isakmp [...] ! interface Tunnel0 tunnel protection ipsec profile IPSEC_PROFILE [...] ! interface Ethernet1 crypto map MYMAP [...] * Generic Routing Encapsulation (GRE) and IPinIP: devices configured to use these tunneling protocols are vulnerable to crafted ICMP "fragmentation needed and DF bit set" messages if PMTUD is enabled. PMTUD is disabled by default for these two protocols. The device is vulnerable if the command tunnel path-mtu-discovery is present in the configuration. * Layer 2 Tunneling Protocol Version 2 (L2TP) and Layer 2 Tunneling Protocol Version 3(L2TPv3): devices configured to use these tunneling protocols are vulnerable to crafted ICMP "fragmentation needed and DF bit set" messages if PMTUD is enabled. PMTUD is disabled by default for these protocols. A device running L2TP is vulnerable if the command ip pmtu appears in the device's configuration. Note: L2TP (version 2) and L2TPv3 (version 3) are two different and independent protocols. Both are affected, but throughout the rest of this document we will refer to them as one since they are affected in the same manner. In addition to IOS-based routers, the following devices also run Cisco IOS or software based on Cisco IOS and are therefore vulnerable: * The Catalyst 4000 and 6000 switches when running IOS in either hybrid (Supervisor Engine running CatOS and Multilayer Switch Feature Card running IOS) or native mode (Supervisor Engine running IOS.) * Cisco Aironet Wireless LAN Access Points and Bridges. * Catalyst 2900XL, 2900XL-LRE, 3500XL, 2940, 2950, 2950-LRE, 2955, and 2970 series switches. * Catalyst 2948G-L3, 3550, 3560, 3750, and 3750-ME series switches. * The Communication Media Module (CMM) * Cisco Optical Network Solutions (ONS) products: the ML and SL blades in the ONS 15454, and the ONS 15530/15540. * Cisco DistributedDirector. Non-IOS Products +--------------- The following non-IOS-based products are also vulnerable: * Cisco CRS-1: the CRS-1 runs IOS XR, which is vulnerable to PMTUD attacks and to attacks that use ICMP "hard" error messages if the CRS-1 establishes TCP sessions with other devices in applications like BGP. PMTUD is disabled by default in IOS XR. PMTUD is enabled if the command tcp path-mtu-discovery is present in the device configuration. Use the show version command to obtain the version of the running IOS XR software. * Cisco PIX Security Appliance is vulnerable to PMTUD attacks if it is configured to use IPSec. IPSec is not enabled by default on the Cisco PIX Security Appliance. The Cisco PIX Security Appliance is using IPSec if the device configuration shows a crypto map applied to an interface through the command crypto map interface . The show version command can be used to determine the running version of the Cisco PIX Security Appliance software. Please note that version 7.0 and later of the PIX Security Appliance software is not affected by these vulnerabilities. * Cisco IP Phones + 7940/7960 with Skinny Client Control Protocol (SCCP) firmware. + 7940/7960 with Session Initiation Protocol (SIP) firmware. + 7970 with Skinny Client Control Protocol firmware (vulnerable only to crafted ICMP hard error messages) The version of the firmware running on your Cisco IP Phone can be found by pressing the "Settings" button of your phone and selecting the "Status" menu options. * Cisco Catalyst 6608 Voice Gateway and Cisco 6000 FXS Analog Interface Module (WS-X6624-FXS) are vulnerable to crafted ICMP hard errors, as well as to crafted ICMP "source quench" messages. To obtain the version of the 6608 and 6624 firmware, log in to your Catalyst 6500 series switch and issue the show version command. * Cisco 11000 and 11500 Content Services Switches (CSS). * Global Site Selector (GSS). * Cisco ONS products: ONS 15302 and ONS 15305. * Cisco MDS 9000 Series Multilayer Switches. * VPN 5000 concentrator. Products Confirmed Not Vulnerable +-------------------------------- The following products are not vulnerable: * Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series and Cisco 7600 Series. * Cisco Guard and Cisco Traffic Anomaly Detector Denial of Service mitigation appliances. * Catalyst Switches. The following Catalyst switches do not run Cisco IOS and therefore are not affected by the vulnerabilities described in this document: + 1200 + 1700 + 1900 + 2100 + 28xx + 2948G-GE-TX + 2900, 2902, 2926T and 2926G + 3000, 3100, 3200 + 3900 + 5000 + The Catalyst 4000 and 6000 switches can run CatOS or IOS. When running CatOS, they are not vulnerable unless a Multilayer Switch Feature Card (MSFC) is present (since the MSFC runs IOS.) When running IOS, they are vulnerable as described above in the Vulnerable Products section. * Cisco ONS products: ONS 15327 Metro Edge Optical Transport Platform, ONS 15454 Optical Transport Platform (MSPP and MSTP), ONS 15531/15532 T31 OMDS Metro WDM System, ONS 15216 EDFA3/EDFA2/OADM, ONS 15310 CL. * Cisco IP Phones + ATA 186/188 + 7910 + 7912 * Cisco VG248 Analog Phone Gateway * Cisco MeetingPlace * Cisco VPN 3000 Series Concentrators, VPN 3002 Hardware Clients, and the VPN Software Client (please note that the VPN Software Client itself is not vulnerable but the operating system the VPN clients runs on may be vulnerable. Please check with your operating system vendor.) * Cisco BTS 10200 Softswitch * Content Engines, Content Routers, and Content Distribution Managers running Cisco Application and Content Networking System (ACNS) software. The following voice and IP communication products are shipped with, and run on top of, the Microsoft Windows operating system. However, the current customization of Microsoft Windows made by Cisco (release 2000-2-6) and included with these products has PMTUD disabled by default. These products may be vulnerable if PMTUD has been enabled by the end user and if Microsoft Windows is affected by the ICMP issues described in this document: * Cisco Call Manager * Cisco IP Interactive Voice Response * Cisco IP Call Center Express * Cisco IP Queue Manager * Cisco Personal Assistant * Cisco Emergency Responder * Cisco Conference Connection * Cisco Internet Service Node The following products use non-Cisco-customized versions of Microsoft Windows. PMTUD is enabled by default on Microsoft Windows, so these products may be vulnerable if this default setting has not been changed and if Microsoft Windows is affected by the ICMP issues described in this document: * Cisco Unity * Cisco IP Contact Center Enterprise Edition * Cisco Secure ACS Solution Engine, also known as the Cisco Secure ACS Appliance To verify whether PMTUD is enabled in the version of Microsoft Windows used by your Cisco product, please check the value of the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery No other Cisco products are currently known to be affected by these vulnerabilities. For all Cisco products that are based on a third-party Operating System and when Cisco is not supplying the OS, please contact the respective vendor for the appropriate vulnerability assessment. It is important to take into consideration that a Cisco product may be impacted if the underlying, non-Cisco operating system is vulnerable. Summary of Vulnerable Products +----------------------------- The following table summarizes how Cisco products are affected by the vulnerabilities described in this document: +-----------------------------------------------+ | Product | Hard | PMTUD | Source | | | Error | | Quench | |--------------+----------+----------+----------| | IOS | Not | Affected | Not | | | affected | | affected | |--------------+----------+----------+----------| | IOS XR | Affected | Affected | Not | | | | | affected | |--------------+----------+----------+----------| | IP Phones | Affected | Affected | Affected | |--------------+----------+----------+----------| | Cisco PIX | Not | | Not | | Security | affected | Affected | affected | | Appliance | | | | |--------------+----------+----------+----------| | Catalyst | | Not | | | 6608 and | Affected | affected | Affected | | 6624 | | | | |--------------+----------+----------+----------| | Cisco 11000 | Not | Not | Affected | | and 11500 | affected | affected | | |--------------+----------+----------+----------| | Cisco GSS | Not | Not | Affected | | | affected | affected | | |--------------+----------+----------+----------| | MDS 9000 | Not | Not | Affected | | | affected | affected | | |--------------+----------+----------+----------| | Cisco VPN | Not | | Not | | 5000 | affected | Affected | affected | | Concentrator | | | | |--------------+----------+----------+----------| | Some ONS | Not | Affected | Not | | products | affected | | affected | +-----------------------------------------------+ Please refer to the Details section for additional information since within one product family different models may be affected differently. Details ======= The Internet Control Message Protocol is an integral part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite that is used to report error conditions and provide diagnostic information. ICMP error messages can be generated by both end systems and intermediate systems, i.e., routers. End systems and intermediate systems react to error messages received via ICMP in different ways depending on the type of error that is being reported. The types of errors that can be reported via ICMP fall into two categories: "soft" errors and "hard" errors. RFC 1122 ("Requirements for Internet Hosts - Communications Layers" - - http://www.ietf.org/rfc/rfc1122.txt), defines three "hard" errors ("protocol unreachable", "port unreachable", and "fragmentation needed and Don't Fragment bit set") and five "soft" errors ("network unreachable", "host unreachable", "source route failed", "time exceeded", and "parameter problem".) "Source quench" is another ICMP error message that can be generated by Internet hosts, and while RFC 1122 does not clearly classify it as "soft" or "hard", it should be considered as a soft error because of the way this message type should be handled by hosts that receive it: hosts should cut back for a period of time the rate at which they are sending data to the host that generated the ICMP "source quench" message, and then gradually increase the transmission rate again. It is important to note that the "fragmentation needed and Don't Fragment bit set" (type 3, code 4) message is used by an important mechanism called Path MTU Discovery, documented in RFC 1191 ("Path MTU discovery" - http://www.ietf.org/rfc/rfc1191.txt). PMTUD allows some protocols of the TCP/IP protocol suite to dynamically find the MTU of a path so IP fragmentation is minimized and bandwidth can be used more efficiently. This mechanism is not mandatory for Internet hosts, but those that implement it need to treat ICMP "fragmentation needed and DF bit set" messages as "soft" errors. A good reference to understand how IP fragmentation works and the role that PMTUD plays in reducing fragmentation is the Cisco white paper "IP Fragmentation and PMTUD", available at http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml. Making a distinction between the types of errors ("soft" versus "hard") that can be reported via ICMP is important because it dictates how Internet hosts will respond to them. In general, connection-oriented protocols like TCP should abort an existing connection in response to an ICMP "hard" error message, and Internet hosts should try to correct the error condition that elicited the receipt of an ICMP "soft" error message. An IETF Internet Draft entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt) that describes how the ICMP protocol can be used to perform a number of Denial of Service attacks against the TCP protocol has been made publicly available. These attacks require knowledge of the IP addresses and ports (in the case of TCP) that two Internet hosts are using to communicate with each other and can cause connection resets and reduction of throughput in existing connections. Note: these attacks only affect sessions terminating or originating on a device itself, not transit traffic; i.e., traffic that passes through a device, but is destined elsewhere is not affected. Attacks Based on Crafted Hard ICMP Error Messages +------------------------------------------------ Upon receipt of a "hard" ICMP error message, an Internet host must abort the connection with the host to which the ICMP error message applies. This host is not necessarily the system that generated the ICMP message, but it is uniquely identified through the IP header and transport protocol data embedded in the ICMP payload. The reason for this is that "hard" errors represent serious network problems for which there is not a possibility for recovery. Crafted "hard" ICMP error messages could cause an Internet host to incorrectly abort an existing connection when in reality there are no network problems. This type of attack is classified as a "blind connection-reset" attack in the Internet Draft draft-gont-tcpm-icmp-attacks-03.txt. PMTUD Attacks +------------ Crafted "fragmentation needed and DF bit set" ICMP messages can be used to set a connection's Path MTU to a very low, impractical value, if an Internet host is performing PMTUD. This value can cause higher layer protocols to start timing out because of a very low throughput, even though the connection is still in the established state. This type of attack is classified as a "throughput-reduction" attack in the Internet Draft draft-gont-tcpm-icmp-attacks-03.txt. Per the PMTUD algorithm described in RFC 1191, implementations must "age" cached MTU values, which means that the MTU will go back to its optimum size, a process that can take up to 10 minutes (RFC 1191 suggests 10 minutes, but this is not a requirement and therefore it is implementation-dependent.) Please note, however, that if an attacker continues to send crafted ICMP "fragmentation needed and DF bit set" messages to a vulnerable host, the cached MTU will never age, causing a continuous denial-of-service condition. As mentioned before, the ICMP "fragmentation needed and DF bit set" message is considered a "hard" error per RFC 1122 if the Internet host receiving it is not performing PMTUD. This means that a PMTUD attack also has the potential to cause a connection reset. For protocols that make use of a "transport layer" MTU to minimize the risk of fragmentation, like TCP and its Maximum Segment Size (MSS) variable, a good way to determine if a connection is suffering from a successful attack is to monitor the value of this "transport layer" MTU - an unreasonably low value may indicate that an attack has been performed. An example of how to do this in Cisco IOS will be provided later in this document. Note: several common protocols make use of TCP, and therefore may be affected by PMTUD attacks. Some examples include BGP, the Hyper Text Transfer Protocol (HTTP - used in the World Wide Web), the Simple Mail Transfer Protocol (SMTP - used for transferring electronic mail), and Secure Shell (SSH). Some protocols in the IBM suite like Data-Link Switching (DLSw), Serial Tunneling (STUN), and Block Serial Tunneling (BSTUN) can be configured to use TCP as their transport protocol. The Domain Name System (DNS) normally uses User Datagram Protocol (UDP) but in some situations (large zone transfers, for example) it also uses TCP. Attacks Based on Crafted Source Quench ICMP Messages +--------------------------------------------------- As mentioned before, Internet hosts are supposed to cut back the rate at which they send data to another host that generated an ICMP "source quench" message. While the actual response to an ICMP "source quench" message varies by TCP/IP implementation and by the transport layer protocol in use, in general, hosts receiving an ICMP "source quench" message should trigger a congestion avoidance algorithm. In the case of a host using TCP to communicate with another, if an ICMP "source quench" message is received the recommended procedure per RFC 1122 is to trigger a "slow start", as if a retransmission timeout had occurred. RFC 2001 ("TCP Slow Start, Congestion Avoidance, Fast Retransmit, and Fast Recovery Algorithms" - - http://www.ietf.org/rfc/rfc2001.txt) describes the "slow start" and "congestion avoidance" algorithms used in modern implementations of TCP and states that in practice, the "slow start" and "congestion avoidance" algorithms are implemented together. The lower rate at which the sending host transmits data allows the host that generated the ICMP "source quench" message to process and empty its receive buffers. Crafted "source quench" ICMP messages can be used to decrease the rate at which a host is sending data. While over time, as long as no additional Source Quench messages are received, the window size will increase to a reasonable value, a crafted "source quench" message can potentially reduce communication efficiency significantly. If an attacker succeeds in periodic transmission of crafted ICMP "source quench" messages to a vulnerable device, a prolonged degradation of service for that connection may occur. This type of attack is classified as a "throughput-reduction" attack in the Internet Draft draft-gont-tcpm-icmp-attacks-03.txt. How Cisco Products Are Affected +------------------------------ Different Cisco products are affected in different ways to the ICMP attacks described in this document. In some cases, some products are affected when specific configurations or network protocols are in use. What follows is a description of how vulnerable products are affected and under what configurations. Information about specific Cisco bug IDs for each product is presented. Cisco IOS +-------- Cisco IOS is not vulnerable to attacks that make use of ICMP "hard" error messages because IOS checks whether a connection is in the "established" state, and takes action only for connections in the "non-established" state. In addition, IOS does not process ICMP "source quench" messages and therefore, is not vulnerable to attacks that are based on crafting this type of message. IOS is vulnerable to PMTUD attacks as described in the Vulnerable Products section. This means that an attacker could change the Path MTU by crafting an ICMP "fragmentation needed and DF bit set" message ("packet too big" message in the case of IPv6.) The following list provides the Cisco bug IDs for the PMTUD vulnerabilities in different protocols in IOS: * All protocols that make use of PMTUD: CSCef60659 -- More stringent checks required for ICMP unreachables. * Transmission Control Protocol over Internet Protocol Version 4: CSCed78149 -- TCP connections over IP version 4 doing PMTUD are vulnerable to crafted ICMP packets. A good way to verify whether a connection is suffering from the effects of a PMTUD attack is by looking at the MSS value of the connection. For BGP sessions the command "show ip bgp neighbors | include data segment" will display the MSS (denoted as "max data segment"), as in the following example: Router#show ip bgp neighbors | include data segment Datagrams (max data segment is 1460 bytes): Router# The official minimum MTU is 68 bytes, although in today's Internet a MSS less than 576 bytes should be considered suspicious. Section 7 of RFC 1191 contains a list of common MTU values used on the Internet. For other TCP connections, the Transmission Control Block (TCB) of a specific connection must be determined using the command show tcp brief, and then this TCB must be used in the command show tcp tcb | include data segment, which will display the MSS (denoted again as max data segment): Router#show tcp brief TCB Local Address Foreign Address (state) 00E97148 192.168.100.1.23 192.168.100.1.11002 TIMEWAIT 00E97A78 192.168.100.1.23 192.168.100.1.11003 ESTAB 00E975E0 192.168.100.1.11003 192.168.100.1.23 ESTAB Router#show tcp tcb 0x00E975E0 | include data segment Datagrams (max data segment is 1474 bytes): Router# Please note that this technique can also be used for TCP over IPv6. * Transmission Control Protocol over Internet Protocol Version 6: CSCef61610 -- Incorrect handling of ICMPv6 messages can cause TCP performance problems. * IPSec: CSCsa59600 -- IOS IPSec connections may be vulnerable to crafted ICMP packets which may cause IPSec to use very small PMTU values for a given flow. After the PMTU has been decreased by a crafted ICMP "fragmentation needed and DF bit set" message, if no additional ICMP "fragmentation needed and DF bit set" messages are received, the learned MTU will be active for 10 minutes, after which the PMTU is restored to the first-hop data-link MTU, per RFC 1191. A way to verify whether an IPSec tunnel is suffering from the effects of a PMTUD attack is by running the command "show crypto ipsec sa | include mtu", as in the following example: Router#show crypto ipsec sa | include mtu path mtu 1500, media mtu 1500 Router# * Generic Routing Encapsulation and IPinIP: CSCef44699 -- GRE and IPinIP tunnels may be vulnerable to crafted ICMP packets. A way to verify whether a GRE or IPinIP tunnel is suffering from the effects of a PMTUD attack is by running the command "show interface tunnel | include Path MTU", as in the following example: Router#show interface tunnel 0 | include Path MTU Path MTU Discovery, ager 10 mins, MTU 1476, expires never * Layer 2 Tunneling Protocol Version 2 and Layer 2 Tunneling Protocol Version 3: for L2TP version 2 the Cisco bug ID is CSCsa52807 ( registered customers only) -- L2TPv2 doing PMTUD vulnerable to spoofed ICMP packets. For L2TP version 3 the bug ID is CSCef43691 ( registered customers only) -- Connections using Layer 2 Tunneling Protocol v3 (L2TPv3) and doing PMTU discovery may be vulnerable to crafted ICMP packets. A way to verify whether a L2TPv2 session is suffering from the effects of a PMTUD attack is by running the command show vpdn session all | include Session MTU, as in the following example: Router#show vpdn session all | include Session MTU Session MTU is 40 bytes For L2TPv3, a PMTUD attack can be identified by running the command show l2tun session all | include PMTU, as in the following example: Router#show l2tun session all | include Session MTU Session PMTU enabled, path MTU is 32 bytes Session PMTU enabled, path MTU is 32 bytes Session PMTU enabled, path MTU is 32 bytes IOS XR +----- IOS XR is vulnerable to attacks based on ICMP "hard" error messages, as well as to PMTUD attacks. The Cisco Bug ID that documents this vulnerability is CSCef45332 -- CRS-1 connections may be vulnerable to crafted ICMP packets. IOS XR does not process ICMP "source quench" messages, so it is not vulnerable to attacks based on this type of message. Cisco IP Phones +-------------- Different models of Cisco IP Phones are vulnerable to attacks based on ICMP "hard" error messages, ICMP "source quench" messages, and/or PMTUD attacks. * CSCef46728 -- 7940/7960 IP Phone with SCCP firmware may be susceptible to crafted ICMP "hard" error messages. * CSCef54947 -- 7970 IP Phone with SCCP firmware may be susceptible to crafted ICMP "hard" error messages. * CSCef54204 -- 7940/7960 IP Phone with SIP firmware may be vulnerable to crafted ICMP "source quench" error messages. Please note that a 7940/7960 IP Phone with SIP firmware does not support TCP for signaling, so only telnet sessions into the phone (for management) and short-lived HTTP sessions from the phone (to servers providing directory services, for example) are affected by this vulnerability. * CSCef54206 -- 7940/7960 IP Phone with SIP firmware may be vulnerable to crafted ICMP "hard" error messages. Please note that a 7940/7960 IP Phone with SIP firmware does not support TCP for signaling, so only telnet sessions into the phone (for management) and short-lived HTTP sessions from the phone (to servers providing directory services, for example) are affected by this vulnerability. Cisco PIX Security Appliance +--------------------------- A PIX Security Appliance with IPSec configured will actively participate in PMTUD per RFC 1191 and RFC 2401 ("Security Architecture for the Internet Protocol" - http://www.ietf.org/rfc/rfc2401.txt). This means that the PIX Security Appliance can dynamically discover and adjust its path MTU for a given IPSec flow when it receives an ICMP "fragmentation needed and DF bit set" message. Under this scenario, the PIX Security Appliance is also vulnerable to crafted ICMP type 3 code 4 messages that try to set the path MTU to a very low value. This vulnerability is documented in the Cisco Bug ID CSCef57566 -- A PIX Security Appliance with IPSec configured can be susceptible to crafted ICMP packets suggesting a very small PMTU for a path or a Security Association. This symptom is observed when IPSec is configured for PMTUD, which is turned on automatically when IPSec is configured on the PIX Security Appliance. Catalyst 6608 and 6624 +--------------------- The Cisco Catalyst 6608 Voice Gateway and Cisco 6000 FXS Analog Interface Module (WS-X6624-FXS) are vulnerable to attacks based on ICMP "hard" error and "source quench" messages. The Cisco Bug ID that documents this vulnerability is CSCsa60692 -- ICMP Hard error handling. Cisco 11000 and 11500 Content Services Switches +---------------------------------------------- The Cisco 11000 and 11500 Content Services Switches are vulnerable to attacks based on ICMP "source quench" messages on the management port; they are not vulnerable on the network ports. The CSS does not perform PMTUD and therefore is not vulnerable to PMTUD attacks. The Cisco Bug ID that documents the vulnerability to ICMP "source quench" messages is CSCeh45454 -- ICMP error packet attacks against TCP. Cisco Global Site Selector +------------------------- The Cisco Global Site Selector version 1.1 and earlier is vulnerable to attacks based on ICMP "source quench" messages. It is not vulnerable to attacks based on ICMP "hard error" messages or to PMTUD attacks. The Cisco Bug ID that documents the vulnerability to ICMP "source quench" messages is CSCeh20083 -- ICMP error packet attacks against TCP. Cisco MDS 9000 Series Multilayer Switches +---------------------------------------- The Cisco MDS 9000 Series Multilayer Switch is vulnerable to PMTUD attacks. The Cisco Bug ID that documents this vulnerability is CSCeh04183 -- ICMP attacks against TCP. Cisco ONS Products +----------------- The affected Cisco ONS products are vulnerable to PMTUD attacks only. VPN 5000 Concentrator +-------------------- The VPN 5000 concentrator is vulnerable to PMTUD. ICMP "source quench" messages are only processed to keep message counts, but not for avoiding congestion. Therefore, this device is not vulnerable to attacks based on this type of messages. The Cisco Bug ID that documents the PMTUD vulnerability is CSCeh59823 -- ICMP 3/4 messages may affect IPSec sessions. Impact ====== Successful exploitation of attacks using crafted ICMP "hard" error messages may result in connections being dropped. Successful exploitation of attacks based on "fragmentation needed and DF bit set" (or PMTUD attacks) and ICMP "source quench" error messages may result in connections being throttled to very low throughput. While throughput is low, the output buffer of a sending host could overflow or packets could be dropped or be unnecessarily fragmented, which may affect applications and communication efficiency. Accordingly, crafted ICMP packets could interfere with network protocols, such as the Border Gateway Protocol, Label Distribution Protocol (LDP) and DLSw. In addition to causing low throughput, a PMTUD attack can also cause high Central Processing Unit (CPU) utilization and extra memory consumption on the receiving host because the CPU will spend time and memory buffers to reassemble the incoming fragmented packets. In all cases, these attacks may result in Denial-of-Service conditions. No remote code execution or unauthorized access results from these types of attacks. Software Versions and Fixes =========================== When considering software upgrades, please also consult http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") for assistance. IOS-based Products +----------------- Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). For further information on the terms "Rebuild" and "Maintenance" please consult the following URL: http://www.cisco.com/warp/public/620/1.html Due to differences in software availability and in the feature scenarios in which Cisco IOS is vulnerable, the table of first fixed releases has been broken down based on the different vulnerabilities that affect each technology. There are four different groups: 1. TCPv4: represents CSCed78149 and CSCef60659. The first Cisco Bug ID tracks TCP's vulnerability to PMTUD attacks, and the second Cisco Bug ID tracks the vulnerability that affects all protocols that make use of PMTUD, with the exception of TCP over IPv6, which is not affected by this vulnerability. 2. Tunnels: represents CSCef60659, CSCef43691, CSCsa61864, CSCsa59600, and CSCef44699. These are the Cisco Bug IDs that track vulnerabilities in most of the affected tunneling protocols (GRE, L2TPv3, and IPSec.) 3. TCPv6: represents CSCef61610, which is the Cisco Bug ID that tracks TCP's vulnerability to PMTUD attacks when running over IPv6. 4. L2TPv2: represents CSCsa52807, which is the Cisco Bug ID that tracks L2TPv2's vulnerability to PMTUD attacks. +-----------------------------------------------+ | Major Release | Availability of Repaired | | | Releases | |-------------------+---------------------------| | Affected | | | | 12.0-Based | Rebuild | Maintenance | | Release | | | |-------------------+-------------+-------------| | | TCPv4 | | | | | and | 12.0(28c) | | | | Tunnels | | | |12.0 |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(12)DA8 or later | | | Tunnels | | |12.0DA |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.0DB |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(15)BC2f or later | | | Tunnels | | |12.0DC |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | | 12.0(27)S5, | | | | | available | | | | | 23-May-05 | | | |TCPv4 |-------------|12.0(31)S, | | | and | 12.0(28)S3, | available | | | Tunnels | available | 28-Apr-05 | | | | 25-Apr-05 | | | | |-------------| | | | | 12.0(30)S1 | | | |---------+-------------+-------------| | 12.0S | | 12.0(27)S5, | | | | | available | | | | | 23-May-05 | | | | |-------------|12.0(31)S, | | | TCPv6 | 12.0(28)S3, | available | | | | available | 28-Apr-05 | | | | 25-Apr-05 | | | | |-------------| | | | | 12.0(30)S1 | | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(15)BC2f or later | | | Tunnels | | |12.0SC |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.0S or later | | | Tunnels | | |12.0SL |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.0S or later | | | Tunnels | | |12.0SP |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.0S or later | | | Tunnels | | |12.0ST |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.0SX |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.0S or later | | | Tunnels | | |12.0SZ |---------+---------------------------| | | TCPv6 | Vulnerable; migrate to | | | | 12.0S or later | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0T |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | | 12.0(25)W5 | | | | TCPv4 | (27c) | | | |and |-------------| | | | Tunnels | 12.0(28)W5 | | | 12.0W5 | | (31a) | | | |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | 12.0(5) | | | | and | WC12, | | | | Tunnels | available | | | 12.0WC | | 25-July-05 | | | |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0XA |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0XB |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0XC |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0XD |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1E latest | | | Tunnels | | |12.0XE |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0XF |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0XG |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0XH |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0XI |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0XJ |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(28) or later | | | Tunnels | | |12.0XK |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(28) or later | | | Tunnels | | |12.0XL |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0XM |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0XN |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0XQ |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(28) or later | | | Tunnels | | |12.0XR |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1E latest | | | Tunnels | | |12.0XS |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(27) or later | | | Tunnels | | |12.0XV |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |-------------------+---------------------------| | Affected | | | | 12.1-Based | Rebuild | Maintenance | | Release | | | |-------------------+-------------+-------------| | | TCPv4 | | | | | and | | 12.1(27) | | | Tunnels | | | |12.1 |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(28) or later | | | Tunnels | | |12.1AA |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(25)EY or later | | | Tunnels | | |12.1AX |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(22)EA4 or later | | | Tunnels | | |12.1AZ |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(12)DA8 or later | | | Tunnels | | |12.1DA |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.1DB |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(15)BC2f or later | | | Tunnels | | |12.1DC |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | | 12.1(22)E6, | | | | | available | | | | | TBD | | | |TCPv4 |-------------| | | | and | 12.1(23)E4, | | | | Tunnels | available | | | 12.1E | | 8-Apr-05 | | | | |-------------| | | | | 12.1(26)E1 | | | |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | | and | 12.1(22)EA4 | | | | Tunnels | | | |12.1EA |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.1EB |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(15)BC2f or later | | | Tunnels | | |12.1EC |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | 12.1(19) | | | | and | EO4, | | | | Tunnels | available | | | 12.1EO | | 26-May-05 | | | |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(20)EU or later | | | Tunnels | | |12.1EU |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.1EV |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(18)EW3 or later | | | Tunnels | | |12.1EW |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1E latest | | | Tunnels | | |12.1EX |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1E latest | | | Tunnels | | |12.1EY |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(28) or later | | | Tunnels | | |12.1T |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(28) or later | | | Tunnels | | |12.1XA |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(28) or later | | | Tunnels | | |12.1XB |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(28) or later | | | Tunnels | | |12.1XC |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(28) or later | | | Tunnels | | |12.1XD |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1E latest | | | Tunnels | | |12.1XE |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(28) or later | | | Tunnels | | |12.1XF |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1XG |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(28) or later | | | Tunnels | | |12.1XH |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(28) or later | | | Tunnels | | |12.1XI |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1XJ |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1XL |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1XM |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1XP |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1XQ |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1XR |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1XT |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1XU |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1XV |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1YA |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1YB |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1YC |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1YD |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1YE |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1YF |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1YH |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.1YI |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.1(22)EA4 or later | | | Tunnels | | |12.1YJ |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |-------------------+---------------------------| | Affected | | | | 12.2-Based | Rebuild | Maintenance | | Release | | | |-------------------+-------------+-------------| | | TCPv4 | | | | | and | | 12.2(28) | | | Tunnels | | | |12.2 |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.2B | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | 12.2(15) | | | | and | BC2f | | | | Tunnels | | | |12.2BC |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2BW |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2BY |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | | 12.3(7)XI3 | | |---------+---------------------------| | | Tunnels | Vulnerable; migrate to | | 12.2BZ | | 12.3(7)XI4, available TBD | | |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | 12.2(15) | | | | and | BC2f | | | | Tunnels | | | |12.2CX |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | 12.2(15) | | | | and | BC2f | | | | Tunnels | | | |12.2CY |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; | | | | and | contact TAC | | | | Tunnels | | | |12.2CZ |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | | and | 12.2(12)DA8 | | | | Tunnels | | | |12.2DA |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2DD |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2DX |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | | and | | 12.2(20)EU | | | Tunnels | | | |12.2EU |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | | and | 12.2(18)EW3 | | | | Tunnels | | | |12.2EW |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | | and | 12.2(25)EWA | | | | Tunnels | | | |12.2EWA |---------+-------------+-------------| | | TCPv6 | 12.2(25)EWA | | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(25)SEB or later | | | Tunnels | | |12.2EX |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | | and | 12.2(25)EY | | | | Tunnels | | | |12.2EY |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(4)JA | | | Tunnels | | |12.2JA |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.2JK |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.2MB |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T | | | Tunnels | | | |---------+---------------------------| | 12.2MC | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T | |---------+---------+---------------------------| | | | 12.2(14)S13 | | | | |-------------| | | | TCPv4 | 12.2(18)S8 | | | |and |-------------| | | | Tunnels | 12.2(20)S7 | | | | |-------------| | | 12.2S | | 12.2(25)S3 | | | |---------+-------------+-------------| | | | 12.2(20)S7 | | | |TCPv6 |-------------| | | | | 12.2(25)S3 | | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | | and | 12.2(25)SEB | | | | Tunnels | | | |12.2SE |---------+---------------------------| | | TCPv6 | 12.2(25)SEA vulnerable; | | | | migrate to 12.2(25)SEB | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | 12.2(18)SO1, available | | | and | 25-Mar-05 | | | Tunnels | | |12.2SO |---------+---------------------------| | | TCPv6 | 12.2(18)SO2, available | | | | 29-Apr-05 | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.2SU |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(25)S3 | | | Tunnels | | |12.2SV |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.2SW |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(17d)SXB7 | | | Tunnels | | |12.2SX |---------+---------------------------| | | TCPv6 | Vulnerable; migrate to | | | | 12.2(17d)SXB7 | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(17d)SXB7 | | | Tunnels | | |12.2SXA |---------+---------------------------| | | TCPv6 | Vulnerable; migrate to | | | | 12.2(17d)SXB7 | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | 12.2(17d) | | | | and | SXB7 | | | | Tunnels | | | |12.2SXB |---------+-------------+-------------| | | TCPv6 | 12.2(17d) | | | | | SXB7 | | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | 12.2(18) | | | | and | SXD4 | | | | Tunnels | | | |12.2SXD |---------+-------------+-------------| | | TCPv6 | 12.2(18) | | | | | SXD4 | | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(17d)SXB7 | | | Tunnels | | |12.2SY |---------+---------------------------| | | TCPv6 | Vulnerable; migrate to | | | | 12.2(17d)SXB7 | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(20)S7 | | | Tunnels | | |12.2SZ |---------+---------------------------| | | TCPv6 | Vulnerable; migrate to | | | | 12.2(20)S7 | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | | and | 12.2(15)T15 | | | | Tunnels | | | |12.2T |---------+-------------+-------------| | | TCPv6 | 12.2(15)T15 | | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XA |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XB |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2XC |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XD |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XE |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(15)BC2f | | | Tunnels | | |12.2XF |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XG |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XH |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XI |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XJ |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XK |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XL |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XM |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XN |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XQ |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(4)JA | | | Tunnels | | |12.2XR |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XT |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XU |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2XW |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | | | | | and | 12.2(4)YA9 | | | | Tunnels | | | |12.2YA |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2YB |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2YC |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2YD |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2S or later | | | Tunnels | | |12.2YE |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.2S or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2YF |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2YG |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2YH |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | |12.2YJ |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2YK |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2YL |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2YM |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2YN |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(17d)SXB7 | | | Tunnels | | |12.2YO |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2YQ |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2YR |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | | |---------+---------------------------| | 12.2YT | TCPv6 | Vulnerable; migrate to | | | | 12.3(12) or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.2YU | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.2YV | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2YW |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.2YX |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2YY |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(20)S7 | | | Tunnels | | |12.2YZ |---------+---------------------------| | | TCPv6 | Vulnerable; migrate to | | | | 12.2(20)S7 | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.2(17d)SXB7 | | | Tunnels | | |12.2ZA |---------+---------------------------| | | TCPv6 | Vulnerable; migrate to | | | | 12.2(17d)SXB7 | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | |12.2ZB |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.2ZC | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T | | | Tunnels | | | |---------+---------------------------| | 12.2ZD | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(13) or later | | | Tunnels | | | |---------+---------------------------| | 12.2ZE | TCPv6 | Vulnerable; migrate to | | | | 12.3(12) or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3 or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.2ZF | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.2ZG | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | 12.2(13) | | | | and | ZH6, | | | | Tunnels | available | | | | | TBD | | | |---------+-------------+-------------| | | | 12.2(13) | | | 12.2ZH | TCPv6 | ZH6, | | | | | available | | | | | TBD | | | |---------+-------------+-------------| | | | 12.2(13) | | | | L2TPv2 | ZH6, | | | | | available | | | | | TBD | | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.2ZJ | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.2ZK | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | 12.2(15) | | | | and | ZL2, | | | | Tunnels | available | | | | | TBD | | | |---------+-------------+-------------| | | | 12.2(15) | | | 12.2ZL | TCPv6 | ZL2, | | | | | available | | | | | TBD | | | |---------+-------------+-------------| | | | 12.2(15) | | | | L2TPv2 | ZL2, | | | | | available | | | | | TBD | | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.2ZN | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.2ZP |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |-------------------+---------------------------| | Major Release | Availability of Repaired | | | Releases | |-------------------+---------------------------| | Affected | | | | 12.3-Based | Rebuild | Maintenance | | Release | | | |-------------------+-------------+-------------| | | | 12.3(3h); | | | | | available | | | | | 21-Apr-05 | | | | |-------------| | | | | 12.3(5e); | | | | | available | | | | | 28-Apr-05 | | | | |-------------| | | | TCPv4 | 12.3(6e) | | | |and |-------------|12.3(13) | | | Tunnels | 12.3(9d); | | | | | available | | | | | 21-Apr-05 | | | | |-------------| | | | | 12.3(10c) | | | | |-------------| | | | | 12.3(12b); | | | | | available | | | | | 12-Apr-05 | | | |---------+-------------+-------------| | | | 12.3(6e) | | | | |-------------| | | | | 12.3(3h); | | | | | available | | | | | 21-Apr-05 | | | | |-------------| | | | | 12.3(5e); | | | | TCPv6 | available | 12.3(12) | | 12.3 | | 28-Apr-05 | | | | |-------------| | | | | 12.3(9d); | | | | | available | | | | | 21-Apr-05 | | | | |-------------| | | | | 12.3(10c) | | | |---------+-------------+-------------| | | | 12.3(6e) | | | | |-------------| | | | | 12.3(3h); | | | | | available | | | | | 21-Apr-05 | | | | |-------------| | | | | 12.3(5e); | | | | | available | | | | | 28-Apr-05 | | | | |-------------|12.3(15), | | | L2TPv2 | 12.3(9d); | available | | | | available | 6-Jun-05 | | | | 21-Apr-05 | | | | |-------------| | | | | 12.3(12b); | | | | | available | | | | | 12-Apr-05 | | | | |-------------| | | | | 12.3(13a); | | | | | available | | | | | 2-May-05 | | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.3B | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | | | | | and | 12.3(9a)BC2 | | | | Tunnels | | | |12.3BC |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(7)T8 or later | | | Tunnels | | | |---------+---------------------------| | 12.3BW | TCPv6 | Vulnerable; migrate to | | | | 12.3(7)T8 or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(11)T4 or later | |---------+---------+---------------------------| | | TCPv4 | | | | | and | | 12.3(4)JA | | | Tunnels | | | |12.3JA |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | | 12.3(7)T8 | | | |TCPv4 |-------------| | | | and | 12.3(8)T7 | 12.3(14)T | | |Tunnels |-------------| | | | | 12.3(11)T4 | | | |---------+-------------+-------------| | | | 12.3(7)T8 | | | | |-------------| | | 12.3T | TCPv6 | 12.3(8)T7 | 12.3(14)T | | | |-------------| | | | | 12.3(11)T4 | | | |---------+-------------+-------------| | | | 12.3(11)T4 | | | | |-------------| | | | L2TPv2 | 12.3(7)T10; | 12.3(14)T | | | | available | | | | | 16-May-05 | | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.3XA | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.3XB | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | 12.3(2)XC3, | | | | and | available | | | | Tunnels | TBD | | | |---------+-------------+-------------| | | | 12.3(2)XC3, | | | 12.3XC | TCPv6 | available | | | | | TBD | | | |---------+-------------+-------------| | | | 12.3(2)XC3, | | | | L2TPv2 | available | | | | | TBD | | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.3XD | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3XE |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.3XF | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3XG |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; | | | | and | migrate to | | | | Tunnels | 12.3(14)T | | | | | or later | | | |---------+-------------+-------------| | | | Vulnerable; | | | 12.3XH | TCPv6 | migrate to | | | | | 12.3(14)T | | | | | or later | | | |---------+-------------+-------------| | | | Vulnerable; | | | | L2TPv2 | migrate to | | | | | 12.3(14)T | | | | | or later | | |---------+---------+-------------+-------------| | | TCPv4 | 12.3(7)XI3 | | | |---------+-------------+-------------| | | | 12.3(7)XI4, | | | | Tunnels | available | | | 12.3XI | | TBD | | | |---------+-------------+-------------| | | TCPv6 | 12.3(7)XI3 | | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3XJ |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3XK |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.3XL | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(14)T or later | | | Tunnels | | | |---------+---------------------------| | 12.3XM | TCPv6 | Vulnerable; migrate to | | | | 12.3(14)T or later | | |---------+---------------------------| | | L2TPv2 | Vulnerable; migrate to | | | | 12.3(14)T or later | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3XQ |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3XR |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3XS |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | Vulnerable; migrate to | | | and | 12.3(4)JA | | | Tunnels | | |12.3XT |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3XU |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3XW |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3XX |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | and | 12.3(8)XY4 | | | Tunnels | | |12.3XY |---------+---------------------------| | | TCPv6 | Not vulnerable | | |---------+---------------------------| | | L2TPv2 | Not vulnerable | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3YA |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3YD |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | 12.3(11) | | | | and | YF2, | | | | Tunnels | available | | | | | 28-Apr-05 | | | |---------+-------------+-------------| | | | 12.3(11) | | | 12.3YF | TCPv6 | YF2, | | | | | available | | | | | 28-Apr-05 | | | |---------+-------------+-------------| | | | 12.3(11) | | | | L2TPv2 | YF2, | | | | | available | | | | | 28-Apr-05 | | |---------+---------+-------------+-------------| | | TCPv4 | | | | | and | 12.3(8)YG1 | | | | Tunnels | | | |12.3YG |---------+-------------+-------------| | | TCPv6 | 12.3(8)YG1 | | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3YH |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | | and | | 12.3(8)YI | | | Tunnels | | | |12.3YI |---------+-------------+-------------| | | TCPv6 | | 12.3(8)YI | | |---------+-------------+-------------| | | L2TPv2 | | 12.3(8)YI | |---------+---------+---------------------------| | | TCPv4 | | | | and | Vulnerable; contact TAC | | | Tunnels | | |12.3YJ |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | | and | | 12.3(11)YK | | | Tunnels | | | |12.3YK |---------+-------------+-------------| | | TCPv6 | | 12.3(11)YK | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | | and | | 12.3(11)YN | | | Tunnels | | | |12.3YN |---------+---------------------------| | | TCPv6 | Vulnerable; contact TAC | | |---------+---------------------------| | | L2TPv2 | Vulnerable; contact TAC | |---------+---------+---------------------------| | | TCPv4 | | | | | and | | 12.3(14)YQ | | | Tunnels | | | |12.3YQ |---------+-------------+-------------| | | TCPv6 | | 12.3(14)YQ | | |---------+-------------+-------------| | | L2TPv2 | | 12.3(14)YQ | +-----------------------------------------------+ Non-IOS-based Products +--------------------- Each row of the non-IOS-based products table (below) lists the earliest possible release that contains the fix (the "First Fixed Release") and the