Field Notice:
                         Cisco IOS Remote Router Crash
                                       
   Revision 1.4
   For release 08:00 AM US/Pacific, Wednesday, August 12, 1998
     _________________________________________________________________
   
     * [3]More Field Notices
     _________________________________________________________________
   
Summary

   An error in Cisco IOS software makes it possible for untrusted,
   unauthenticated users who can gain access to the login prompt of a
   router or other Cisco IOS device, via any means, to cause that device
   to crash and reload.
   
   This applies only to devices running classic Cisco IOS software,
   including most, but not all, Cisco router products. The easiest way to
   determine whether your device is running classic Cisco IOS software is
   to use the show version command as detailed under [4]Who Is Affected
   below.
   
Who Is Affected

   All users of classic Cisco IOS software versions 9.1 and later, but
   earlier than the repaired versions listed in the "[5]Details" section
   of this notice, whose devices can be connected to interactively by
   untrusted users, are affected by this vulnerability. It is not
   necessary to be able to actually log in to exploit this vulnerability;
   simply establishing a terminal connection is sufficient. The
   vulnerability can be exploited from any interactive prompt issued by
   the router, including but not limited to, the login prompt.
   
   Note that some of the repaired software has been in the field for some
   time; you may already have installed it. Please check your software
   version number before assuming that you are affected.
   
   The vulnerability can be exploited using direct console or
   asynchronous serial connections (including dialup connections), TELNET
   connections, UNIX "r" command connections, LAT connections, MOP
   connections, X.29 connections, V.120 connections, and possibly others.
   Except in extraordinary security environments, administrators are
   strongly encouraged to assume that hostile users can find ways to make
   interactive connections to their Cisco IOS devices.
   
   If you are not running classic Cisco IOS software, then you are not
   affected by this vulnerability. Cisco devices which do not run classic
   Cisco IOS software include the following:
     * 7xx dialup routers (750, 760, and 770 series) are not affected.
     * Catalyst LAN switches (except for the Catalyst 2900XL) are not
       affected.
     * WAN switching products in the IGX or BPX lines are not affected.
     * The AXIS shelf is not affected.
     * The LS1010 or LS2020 ATM switches are not affected. Earlier
       versions of this notice said that some LS1010 switches were
       affected. This was an error; the 11.2WAx and 11.3WAx versions of
       Cisco IOS software used in LS1010 switches are based on repaired
       variants.
     * Any host-based software is not vulnerable.
     * The Cisco PIX Firewall is not vulnerable.
     * The Cisco LocalDirector is not vulnerable.
     * The Cisco Cache Engine is not vulnerable.
       
   It is impossible to list all Cisco products in this notice. If you are
   unsure whether your device is running classic Cisco IOS software, log
   into the device and issue the command show version. Classic Cisco IOS
   software will identify itself simply as "IOS" or "Internetwork
   Operating System Software," and affected software will have a version
   number greater than or equal to 9.1. Other Cisco devices either will
   not have the show version command, or will give different output.
   
Impact

   If attackers know the details of the Cisco IOS software error they
   will be able to cause the router to crash and reload without having to
   log in to the router. Because this problem involves damage to an
   internal data struture, it is possible that other, more subtle or
   targeted effects on system operation could also be induced by proper
   exploitation. Such exploitation, if it is possible at all, would
   require significant engineering skill and a thorough knowledge of the
   internal operation of Cisco IOS software, including Cisco trade secret
   information.
   
Details

   The Cisco IOS software error has been assigned Cisco bug ID
   CSCdj43337.
   
   Note: If you are a [6]registered CCO user and you have logged in, you
   can view bug details.
   
  Affected and Repaired Software Versions
  
   This vulnerability affects all releases of Classic Cisco IOS software
   from 9.1 up to, but not including, the following corrected releases
   (including interim and beta software):
   
     * 11.3(1),  11.3(1)ED, 11.3(1)T
     * 11.2(10), 11.2(9)P, 11.2(9)XA, 11.2(10)BC, 11.2(8)SA3
     * 11.1(15)CA, 11.1(16), 11.1(16)IA, 11.1(16)AA, 11.1(17)CC,
       11.1(17)CT
     * 11.0(20.3)
       
   It is not necessary to run the specific releases listed above; the fix
   is present in all subsequent versions of the same releases as well.
   For example, 11.2(9)P is fixed, so 11.2(10)P is also fixed.
   
   Releases of Cisco IOS software up to and including 10.3 have reached
   end of support, and no fixes are currently or planned to be available
   for those releases. All releases after 9.1 do, however, contain the
   problem.
   
   All planned fixes to Cisco IOS software have been completed and
   tested. Integration into regular released software is complete for all
   versions except 11.0. If you are running a version of software earlier
   than the ones listed above, please contact the Cisco TAC for
   assistance.
   
   As of the date of this notice, the fix for this problem is available
   for the 11.0 release only in the 11.0(20.3) version. This  is an
   interim release, and has not been subjected to the same degree of
   testing as a regular Cisco IOS release. The first regular 11.0 release
   containing the fix will be 11.0(21). Release of 11.0(21) is
   tentatively scheduled for mid-September, 1998; this schedule is
   subject to change. Because of the relative maturity of the 11.0 Cisco
   IOS software, Cisco believes that installation of 11.0(20.3) carries
   less risk than would installation of an interim release for a newer
   Cisco IOS version, but customers are advised to use caution in
   installing 11.0(20.3), or any other interim release, in any critical
   device.
   
   Cisco is offering free software upgrades to all vulnerable customers,
   regardless of contract status. Customers with service contracts may
   upgrade to any Cisco IOS software version. Customers without contracts
   may upgrade to the latest versions of the images that they are already
   running (for example, from 11.2(2) to 11.2(11), but not from 11.2(2)
   to 11.3(3)). Customers without contracts who are running 10.3 or older
   software will receive free upgrades to fixed 11.0 versions, but should
   be careful to make sure that their hardware can support the new
   software before upgrading.
   
   Customers with contracts should obtain upgraded software through their
   regular update channels (generally via Cisco's Worldwide Web site).
   Customers without contracts should contact the Cisco TAC as explained
   in the "[7]Cisco Security Procedures" section of this document, and
   should refer to the URL of this document as evidence of their
   entitlement.
   
   As with any software upgrade, you should check to make sure that your
   hardware can support the new software before upgrading.  The most
   common problem is inadequate RAM. Assistance is available on Cisco's
   Worldwide Web site at [8]http://www.cisco.com.
   
  Workarounds
  
   It is possible to work around this problem by preventing interactive
   access to the Cisco IOS device. If only IP-based interactive access is
   of concern, this can be done by using the ip access-class line
   configuration to apply an access list to all virtual terminals in the
   system. However, it is important to remember that non-IP-based means
   of making interactive connections to Cisco IOS devices do exist, and
   to eliminate those means as possible routes of attack. Interactive
   access can be prevented completely by applying the configuration
   command no exec to any asynchronous line, or the command transport
   input none to any virtual terminal line, that may be accessible to
   untrusted users.
   
Exploitation and Public Announcements

   Cisco has had no actual reports of malicious exploitation of this
   vulnerability.  However, there have been sporadic reports of
   unexplained crashes that have been consistent with the crashes caused
   by this vulnerability; the vulnerability was initially identified
   because of such a report. It is possible that the reported crashes
   could have been caused by random events, but it is also possible that
   they could have been deliberate. Cisco has essentially no information
   that would be useful in determining which is the case.  None of the
   customers reporting the crashes indicated any suspicion of a
   deliberate attack.
   
   Cisco knows of no public announcements of this vulnerability before
   the date of this notice.
   
Status of This Notice

   This is a final field notice. Although Cisco cannot guarantee the
   accuracy of all statements in this notice, all the facts have been
   checked to the best of our ability. Cisco does not anticipate issuing
   updated versions of this notice unless there is some material change
   in the facts. Should there be a significant change in the facts, Cisco
   may update this notice.