Cisco Cisco IOS Software Release 12.4(4)T

CSCin95836

The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that 
can result in a restart of the device or possible remote code execution. 

NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) 
feature. 

NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation 
(GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This 
vulnerability affects all three methods of operation. 

NHRP is not enabled by default for Cisco IOS. 

This vulnerability is addressed by Cisco bug IDs CSCin95836 for non-12.2 mainline releases and 
CSCsi23231 for 12.2 mainline releases. 

This advisory is posted at 

CSCed94829

Multiple Cisco products contain vulnerabilities in the processing of IPSec IKE (Internet Key 
Exchange) messages. These vulnerabilities were identified by the University of Oulu Secure 
Programming Group (OUSPG) “PROTOS” Test Suite for IPSec and can be repeatedly exploited to 
produce a denial of service.

Cisco has made free software available to address this vulnerability for affected customers. Prior to 
deploying software, customers should consult their maintenance provider or check the software for 
feature set compatibility and known issues specific to their environment.

This advisory is posted at

.

CSCeh35254

Symptoms: A dynamically applied policy map may become detached from a VC.

Conditions: This symptom is observed when you change the queue depth for the VC class and apply 
the new configuration to the VC while a session is active.

Workaround: There is no workaround. 

CSCeh61857

Symptoms: You may not be able to configure anything under a non-DOT11 subinterface, not even 
the IP address.

Conditions: This symptom is observed on Cisco 870 series, Cisco 2800 series, and 
Cisco 3800 series, but may also affect other routers.

Workaround: There is no workaround.