Guest

Preview Tool

Cisco Bug: CSCuo68417 - Invalid IPv4/IPv6 packet punted for netflow processing causes NP lockup

Last Modified

May 29, 2020

Products (7)

  • Cisco ASR 9000 Series Aggregation Services Routers
  • Cisco IOS XR Software
  • Cisco ASR 9922 Router
  • Cisco ASR 9010 Router
  • Cisco ASR 9006 Router
  • Cisco ASR 9001 Router
  • Cisco ASR 9912 Router

Known Affected Releases

4.3.1.BASE 4.3.4.BASE 5.1.0.BASE

Description (partial)

Disable Netflow.
 
<More Information>
 
The following logs may be present on a device:
 
LC/0/4/CPU0:May  1 02:42:04.501 CET: prm_server_ty[300]: %PLATFORM-NP-4-FAULT : Fast Reset NP1 - successful auto-recovery of NP 
LC/0/4/CPU0:May  1 02:42:04.501 CET: pfm_node_lc[290]: %PLATFORM-NP-2-NP_DIAG : Clear|prm_server_ty[168018]|Network Processor Unit(0x1008001)| NP
diagnostics warning on NP1.
 
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2014-3322 has been assigned to document this issue.

Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3322

Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Symptom:

A vulnerability in the Netflow processing in Cisco IOS XR Software for ASR 9000 Series Aggregation Services Routers could allow an
unauthenticated, adjacent attacker to cause a lockup and eventual reload of a Network Processor (NP) chip and a line card processing traffic. 
 
The vulnerability is due to improper Netflow sampling of malformed IPv4/IPv6 packets. An attacker could exploit this vulnerability by sending a
stream of malformed IPv4/IPv6 packets to be processed through an affected device. An exploit could allow the attacker to cause a lockup and
eventual reload of an NP chip and a line card, leading to a denial of service (DoS) condition.

Conditions:
Only Typhoon-based line cards on Cisco ASR 9000 Series Aggregation Services Routers are affected by this vulnerability.
 
Netflow sampling has be configured for this vulnerability to be exploited.

Related Community Discussions

Number of OSPF processes
Hi! I would like to know are there any limitations in number of OSPF processes in IOS-XR, especially on ASR9010 platform?   Active Packages:     disk0:asr9k-mini-px-4.3.4     disk0:asr9k-fpd-px-4.3.4     disk0:asr9k-doc-px-4.3.4     disk0:asr9k-mpls-px-4.3.4     disk0:asr9k-services-px-4.3.4     disk0:asr9k-k9sec-px-4.3.4     disk0:asr9k-px-4.3.4.sp2-1.0.0     disk0:asr9k-px-4.3.4.CSCuh93866-1.0.0     disk0:asr9k-px-4.3.4.CSCui28202-1.0.0     disk0:asr9k-px-4.3.4.CSCuo16209-1.0.0     disk0:asr9k-px-4.3.4.CSCuo17130-1.0.0 ...
Latest activity: Sep 29, 2014
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.