Guest

Preview Tool

Cisco Bug: CSCup77750 - NP lockup with netflow when receiving packet with mcast dmac

Last Modified

Nov 27, 2020

Products (6)

  • Cisco ASR 9000 Series Aggregation Services Routers
  • Cisco ASR 9922 Router
  • Cisco IOS XR Software
  • Cisco ASR 9010 Router
  • Cisco ASR 9006 Router
  • Cisco ASR 9001 Router

Known Affected Releases

4.3.1.BASE

Description (partial)

Symptom:

A vulnerability in packet parsing code of Cisco IOS XR Software for ASR 9000 Series Aggregation Services Routers could allow an 
unauthenticated, adjacent attacker to cause a lockup and eventual reload of a network processor chip and a line card processing traffic.

The vulnerability is due to improper parsing of the specific packet when the netflow sampling is configured. An attacker could exploit this 
vulnerability by sending a specific packet with multicast destination MAC address through an affected device that has the netflow sampling 
configured. An exploit could allow the attacker to cause a lockup and eventual reload of a network processor chip and a line card 
processing traffic


Conditions:

The following conditions must be in place for this vulnerability to be exploited:

- Only Typhoon Line cards are affected by this vulnerability
- CSCum91344 SMU installed (integrated only in 5.1.2) 
- static ARP mapping unicast IP to multicast MAC
- Netflow collection configured on a BVI interface used as a egress interface for such packets


Workarounds:

L2 ACL in limited use cases


Further Problem Description:

The following errors can be seen in the logs:

No  Time                      Cause Code  Reason
--------------------------------------------------------------------------------
01  Sat May 17 01:23:53 2014  0x0400001b  Cause: Too many fast reset attempts, L
                                          C reboot needed to recover the NP
                                            Process: prm_server_t
02  Sat May 17 01:06:41 2014  0x0400001b  Cause: Too many fast reset attempts, L
                                          C reboot needed to recover the NP
                                            Process: prm_server_t

LC/0/0/CPU0:Jul 18 10:01:36.695 brz: prm_server_ty[302]: Starting fast reset for NP 1

PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 
4.6/3.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2014-3335 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.