Headline
CVE-2016-1351: Cisco Security Advisory: Cisco IOS and NX-OS Software Locator/ID Separation Protocol Packet Denial of Service Vulnerability
The Locator/ID Separation Protocol (LISP) implementation in Cisco IOS 15.1 and 15.2 and NX-OS 4.1 through 6.2 allows remote attackers to cause a denial of service (device reload) via a crafted header in a packet, aka Bug ID CSCuu64279.
Cisco Catalyst 6500 and 6800 Series Switches running Cisco IOS Software, and Cisco Nexus 7000 and Nexus 7700 Series Switches with an M1 Series Gigabit Ethernet Module running Cisco NX-OS Software are vulnerable when LISP is configured. LISP is not enabled by default on either platform.
For information about which Cisco IOS and NX-OS Software versions are vulnerable, see the “Fixed Software” section of this advisory.
Cisco Catalyst 6500 and 6800 Series Switches LISP support was first introduced in release 15.1(1)SY1. To determine if LISP is configured on the device, use the show running-config | include lisp command to see if router lisp is configured, as shown in the following example:
iosRouter# show running-config | include lisp
router lisp
Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by the Cisco IOS Software release number and release name.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.2(1)SY1 with an installed image name of c6880x-ADVENTERPRISEK9-M:
iosRouter# show version
Cisco IOS Software, c6880x Software (c6880x-ADVENTERPRISEK9-M), Version 15.2(1)SY1, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright © 1986-2015 by Cisco Systems, Inc.
Compiled Mon 11-May-15 00:26 by prod_rel_team
.
.
.
Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide.
**Nexus 7000 and 7700 Series Switches
**
The Nexus 7000 and 7700 Series Switches added LISP support in software release 5.2(1). The Nexus 7000 and 7700 Series Switches with LISP configured are vulnerable only if the LISP packet is input on an M1 Series Gigabit Ethernet Module. Use the show module | include M1 command to check whether an M1 module is installed in the Nexus 7000 chassis, as shown in the following example:
nxosRouter# show module | include M1
3 48 10/100/1000 Mbps Ethernet XL Module N7K-M148GT-11L powered-up
If there is an M1 Series Gigabit Ethernet Module installed, it will be vulnerable only if LISP packets are input to interfaces configured on this module. To check whether the LISP feature is enabled, use the show feature | include lisp command, as in the following example:
nxosRouter# show feature | include lisp
lisp 1 enabled
The show ip lisp command can be used to determine the LISP configuration for the M1 interfaces:
nxosRouter# show ip lisp
LISP IP Configuration Information for VRF “default” (iid 1)
Ingress Tunnel Router (ITR):enabled
Egress Tunnel Router (ETR):disabled
Proxy-ITR Router (PTR):disabled
Proxy-ETR Router (PETR):disabled
Map Resolver (MR):disabled
Map Server (MS):disabled
LISP Multicast:disabled
.
.
.
For more information on the Nexus 7000 and 7700 Series Switches LISP Configuration, see Configuring Locator/ID Separation Protocol.
Determine the Cisco NX-OS Software Release
To determine the Cisco NX-OS Software release that is running on a Cisco Nexus 7000 Series switch, administrators can log in to the device and issue the show version command. The following example identifies the 6.2(14) release:
nxosRouter# show version
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
Copyright © 2002-2015, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
Software
BIOS: version 2.12.0
kickstart: version 6.2(14)
system: version 6.2(14)
.
.
.
Note: The following Cisco M1 Series Gigabit Ethernet Module Series modules are no longer supported as of Cisco NX-OS Release 7.3(0)D1(1):
- N7K-M148GT-11
- N7K-M132XP-12
- N7K-M148GS-11
No other Cisco products are currently known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco IOS-XR and Cisco IOS-XE.
Cisco 7600 Series Routers are not affected by this vulnerability.