Guest

Preview Tool

Cisco Bug: CSCvb14640 - Cisco IOS and Cisco IOS XE Software IPv6 SNMP Message Handling Denial of Service Vulnerability

Last Modified

Oct 24, 2019

Products (108)

  • Cisco IOS
  • Cisco Catalyst 3650-24TD-S Switch
  • Cisco Catalyst 3650-48FS-S Switch
  • Cisco Catalyst 3850-48XS-F-S Switch
  • Cisco Catalyst 3650-48FQM-L Switch
  • Cisco Catalyst 3650-48TQ-L Switch
  • Cisco Catalyst 3850-32XS-E Switch
  • Cisco Catalyst 3850-24P-L Switch
  • Cisco Catalyst 3850-24U-S Switch
  • Cisco Catalyst 3850-16XS-S Switch
View all products in Bug Search Tool Login Required

Known Affected Releases

Denali-16.3.1

Description (partial)

Symptom:
A vulnerability in the IPv6 Simple Network Management Protocol (SNMP) code of Cisco IOS and Cisco IOS XE Software could allow an authenticated, remote attacker to cause high CPU usage or a reload of the device.

The vulnerability is due to IPv6 sub block corruption. An attacker could exploit this vulnerability by polling the affected device IPv6 information. An exploit could allow the attacker to trigger high CPU usage or a reload of the device.

There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170906-snmp

Conditions:
This is a day 1 issue with the SNMP code when polling IPv6 interfaces.

Device configured with IPv6.

Could be triggered when polling OIDs that access IPv6 sub-block information or when issuing <cmd>show ipv6 addresses | section Ether</cmd>

There is a condition where IPv6 sub-block corruption can occur that could result in the device crashing when being polled.

IPv6 sub-block corruption could occur when unconfiguring certain processes can sometimes lead to a crash when linked-list traversals are involved, 
or when an IPV6 ppp-session is in the process of deletion and the address information is being polled for that particular virtual-access interface, the 
box might crash.  Hence the higher number of interface the greater likely hood that this issue could be hit.  (In most cases where this has been 
observed the device has been configured with a large - greater than 10K interfaces)

Logs could indicate:

044467: Aug 17 09:12:12.967 UTC: %SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input
044468: Aug 17 09:12:12.968 UTC: %SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input

and seeing drops on SNMP:

show snmp | i drops
    42064 Input queue packet drops (Maximum queue size 1000)

Fixed Releases are available in BST under the Known Fixed Releases.  Below is a summary updated on the 21st Sept 2017:

Cisco IOS Software:
15.5M:	15.5(3)M6 and later
15.5S:	15.5(3)S6 and later

Cisco IOS XE Software:
3.16S:	3.16.6S and later.
16.3 :  16.3.5
16.4 :  16.4.2
16.5 :  16.5.2
16.6 :  16.6.1 and later.

Related Community Discussions

16.3.5 Beta Image Availability
Update 10/10: 16.3.5 official release is now available on cisco.com. Thank you for your participation   We are pleased to announce availability of Beta software for 16.3.5. 16.3.5 will be the fourth rebuild on the 16.3 release train targeted towards Catalyst 3650 /3850 switching platforms.  We are looking for early feedback from customers before 16.3.5 software release is posted on CCO for General Availability (GA). This beta software addresses critical customer found defects which are mentioned ...
Latest activity: Oct 10, 2017
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.