Cisco Cisco IOS Software Release 12.2
93
Caveats for Cisco IOS Release 12.2
OL-3513-16 Rev. G0
Resolved Caveats—Cisco IOS Release 12.2(26)
TCP/IP Host-Mode Services
•
CSCed78149
A document that describes how the Internet Control Message Protocol (ICMP) could be used to
perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol
(TCP) has been made publicly available. This document has been published through the Internet
Engineering Task Force (IETF) Internet Draft process, and is entitled “ICMP Attacks Against TCP”
(draft-gont-tcpm-icmp-attacks-03.txt).
perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol
(TCP) has been made publicly available. This document has been published through the Internet
Engineering Task Force (IETF) Internet Draft process, and is entitled “ICMP Attacks Against TCP”
(draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of
three types:
three types:
1. Attacks that use ICMP “hard” error messages
2. Attacks that use ICMP “fragmentation needed and Don’t Fragment (DF) bit set” messages, also
known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP “source quench” messages
2. Attacks that use ICMP “fragmentation needed and Don’t Fragment (DF) bit set” messages, also
known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP “source quench” messages
Successful attacks may cause connection resets or reduction of throughput in existing connections,
depending on the attack type.
depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are
workarounds available to mitigate the effects of the vulnerability.
workarounds available to mitigate the effects of the vulnerability.
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security
Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple
vendors whose products are potentially affected. Its posting can be found at:
Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple
vendors whose products are potentially affected. Its posting can be found at:
Resolved Caveats—Cisco IOS Release 12.2(26)
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(26). All the caveats
listed in this section are resolved in Cisco IOS Release 12.2(26). This section describes severity 1 and 2
caveats and select severity 3 caveats.
listed in this section are resolved in Cisco IOS Release 12.2(26). This section describes severity 1 and 2
caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
Symptoms: A description of what is observed when the caveat occurs.
•
Conditions: The conditions under which the caveat has been known to occur.
•
Workaround: Solutions, if available, to counteract the caveat.
Basic System Services
•
CSCed65285
Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the
Cisco IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access
Control System Plus (TACACS+) as a means to perform remote management tasks on Cisco IOS
devices, may contain two vulnerabilities that can potentially cause Cisco IOS devices to exhaust
Cisco IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access
Control System Plus (TACACS+) as a means to perform remote management tasks on Cisco IOS
devices, may contain two vulnerabilities that can potentially cause Cisco IOS devices to exhaust