User guide
Release Notes for Cisco 2500 Series for Cisco IOS Release 12.0 T 29
Cisco IOS Syslog Failure
Cisco IOS Syslog Failure
Certain versions of Cisco IOS software may fail or hang when they receive invalid User Datagram
Protocol (UDP) packets sent to their syslog ports (port 514). At least one commonly used Internet
scanning tool generates packets that cause such problems. This fact has been published on public
Internet mailing lists, which are widely read both by security professionals and by security crackers.
This information should be considered in the public domain.
Attackers can cause Cisco IOS devices to repeatedly fail and reload, resulting in a completely
disabled Cisco IOS device that needs to be reconfigured by its administrator. Some Cisco IOS
devices have been observed to hang instead of failing when attacked. These devices do not recover
until they are manually restarted by reset or power cycling. An administrator must personally visit
an attacked, hung device to restart it, even if the attacker is no longer actively sending any traffic.
Some devices have failed without providing stack traces; some devices may indicate that they were
“restarted by power-on,” even when that is not the case.
Assume that any potential attacker is likely to know that existence of this problem and the ways to
exploit it. An attacker can use tools available to the public on the Internet and does not need to write
any software to exploit the vulnerability. Minimal skill is required and no special equipment is
required.
Despite Cisco specifically inviting such reports, Cisco has received no actual reports of malicious
exploitation of this problem.
This vulnerability notice was posted on Cisco’s World Wide Web site:
http://www.cisco.com/warp/public/770/iossyslog-pub.shtml
This information was also sent to the following e-mail and USENET news recipients:
• cust-security-announce@cisco.com
• bugtraq@netspace.org
• first-teams@first.org (includes CERT/CC)
• first-info@first.org
• cisco@spot.colorado.edu
• comp.dcom.sys.cisco
• nanog@merit.edu
Affected Devices and Software Versions
Vulnerable devices and software versions are specified in Table 7, Affected and Repaired Software
Versions. Affected versions include Releases 11.3 AA, 11.3 DB, and all 12.0 versions (including
12.0 mainline, 12.0 S, 12.0 T, and any other regular released version whose number starts with 12.0),
up to the repaired releases listed in Table 7. Cisco is correcting the problem in certain special
releases and will correct it in future maintenance and interim releases. See Table 7, Affected and
Repaired Software Versions for details. Cisco intends to provide fixes for all affected IOS variants.
No particular configuration is needed to make a Cisco IOS device vulnerable. It is possible to filter
out attack traffic by using access lists. See the “Workarounds” section on page 31 for techniques.
However, except at Internet firewalls, the appropriate filters are not common in customer
configurations. Carefully evaluate your configuration before assuming that any filtering you have
protects you against this attack.