Cisco Systems Inc. warns that software upgrades will be necessary to correct a problem in several models of its...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Without these upgrades, it's possible to cause a denial of service on devices locally; a remote attack is also possible but unlikely.
The vulnerability, which exists in Cisco 6000, 6500 and 7600 series network devices with Multilayer Switch Feature Card 2 (MSFC2), stems from how they handle certain frames. In the Open System Interconnection (OSI) model, layer 2 represents data link frames and layer 3 represents network packets. Layer 2 frames encapsulate a protocol-independent layer 3 packet.
However, it's possible to create a layer 2 frame whose length is inconsistent with the length of the encapsulated layer 3 packet. The software doesn't handle this situation properly, causing the device to freeze or rest, resulting in a denial of service.
Usually, this is only possible locally, since a router or firewall will normally prevent malicious packets from being transmitted. However, it might be possible to exploit this remotely, in the unlikely situation in which the special layer 2 frames pass through intermediate devices without being clipped.
The problem occurs in systems with a FlexWAN module or OSM module, and in systems running IOS 12.1(8b)E14. There's no workaround, only the software upgrade.
FOR MORE INFORMATION:
Dig Deeper on Denial of Service (DoS) Attack Prevention-Detection and Analysis