Datasheet
273
Release Notes for Cisco IOS Release 12.1E on the Catalyst 6500 and Cisco 7600 Supervisor Engine and MSFC
OL-2310-11
Caveats
• There might be OSPF neighbor drops and HSRP flaps when QoS is enabled on a Supervisor
Engine 1 and MSFC2. This problem is resolved in Release 12.1(11b)E14. (CSCeb55271)
Resolved Caveats in Release 12.1(11b)E12
• A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a
Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by
default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the
malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject
a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this
advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
This problem is resolved in Release 12.1(11b)E12. (CSCdu53656)
• A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a
Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by
default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the
malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject
a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this
advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
This problem is resolved in Release 12.1(11b)E12. (CSCea28131)
• Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol
version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of
crafted IPv4 packets sent directly to the device may cause the input interface to stop processing
traffic once the input queue is full. No authentication is required to process the inbound packet.
Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not
affected. A workaround is available.
Cisco has made software available, free of charge, to correct the problem.
This advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
This problem is resolved in Release 12.1(11b)E12. (CSCea02355)
Resolved Caveats in Release 12.1(11b)E11
• Cisco devices which run IOS and contain support for the Secure Shell (SSH) server are vulnerable
to a Denial of Service (DoS) if the SSH server is enabled on the device. A malformed SSH packet
directed at the affected device can cause a reload of the device. No authentication is necessary for
the packet to be received by the affected device. The SSH server in Cisco IOS is disabled by default.
The malformed packets can be generated using the SSHredder test suite from Rapid7, Inc.
Workarounds are available. The Cisco PSIRT is not aware of any malicious exploitation of this
vulnerability.
This advisory is available at this URL:
http://www.cisco.com/warp/public/707/ssh-packet-suite-vuln.shtml
This problem is resolved in Release 12.1(11b)E11. (CSCdz60229)