cisco-sa-iosxr-dhcp-dos-pjpvrelu
Vulnerability from csaf_cisco
Published
2021-09-08 16:00
Modified
2021-10-20 17:55
Summary
Cisco IOS XR Software DHCP Version 4 Server Denial of Service Vulnerability
Notes
Summary
A vulnerability in the DHCP version 4 (DHCPv4) server feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to trigger a crash of the dhcpd process, resulting in a denial of service (DoS) condition.
This vulnerability exists because certain DHCPv4 messages are improperly validated when they are processed by an affected device. An attacker could exploit this vulnerability by sending a malformed DHCPv4 message to an affected device. A successful exploit could allow the attacker to cause a NULL pointer dereference, resulting in a crash of the dhcpd process. While the dhcpd process is restarting, which may take up to approximately two minutes, DHCPv4 server services are unavailable on the affected device. This could temporarily prevent network access to clients that join the network during that time period.
Note: Only the dhcpd process crashes and eventually restarts automatically. The router does not reload.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dhcp-dos-pjPVReLU ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dhcp-dos-pjPVReLU"]
This advisory is part of the September 2021 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2021 Cisco IOS XR Software Security Advisory Bundled Publication ["https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-74637"].
Vulnerable Products
At the time of publication, this vulnerability affected the following Cisco products if they were running Cisco IOS XR Software releases 6.7.2 and later, 7.1.2 and later, or 7.2.1 and later but earlier than Release 7.3.2 or earlier than Release 7.4.1 and had the DHCPv4 server feature or the DHCPv4 proxy feature enabled:
ASR 9000 Series Aggregation Services Routers
IOS XRv 9000 Routers
Network Convergence System (NCS) 540 Series Routers
NCS 560 Series Routers
NCS 5000 Series Routers
NCS 5500 Series Routers
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
Determine the DHCPv4 Configuration
To determine whether the DHCPv4 server feature or the DHCPv4 proxy feature is enabled on a device, run the show running-config dhcp ipv4 command in privileged EXEC mode on the device CLI and check for a server profile that is either directly or indirectly (through a base profile) bound to at least one interface.
The following example shows the output of the show running-config dhcp ipv4 command on a device that has the DHCPv4 server profile TEST directly bound to interface GigabitEthernet0/0/0/0:
dhcp ipv4
profile TEST server
.
.
.
!
interface GigabitEthernet0/0/0/0 server profile TEST
The following example shows the output of the show running-config dhcp ipv4 command on a device that has the DHCPv4 server profiles DHCP_SERVER and DEFAULT_PROFILE indirectly bound to interface GigabitEthernet0/0/0/0 through base profile DHCP_BASE:
dhcp ipv4
profile DHCP_BASE base
match option 60 41424355 profile DHCP_SERVER server
default profile DEFAULT_PROFILE server
.
.
.
!
profile DHCP_SERVER server
.
.
.
!
profile DEFAULT_PROFILE server
.
.
.
!
interface GigabitEthernet0/0/0/0 base profile DHCP_BASE
The following example shows the output of the show running-config dhcp ipv4 command on a device that has the DHCPv4 proxy profile PROXY directly bound to interface GigabitEthernet0/0/0/0:
dhcp ipv4
profile PROXY proxy
helper-address vrf default 192.168.23.7 giaddr 192.168.23.11
!
interface GigabitEthernet0/0/0/0 proxy profile PROXY
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
IOS Software
IOS XE Software
NX-OS Software
Workarounds
There are no workarounds that address this vulnerability.
Fixed Software
When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Fixed Releases
At the time of publication, the following Cisco IOS XR Software releases contained the fix for this vulnerability:
7.3.2 and later
7.4.1 and later
Cisco has released the following SMU to address this vulnerability. Customers who require SMUs for platforms or releases that are not listed are advised to contact their support organization.
Cisco IOS XR Software Release Platform SMU Name 7.1.3 ASR9K-X64 asr9k-x64-7.1.3.CSCvw95930
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information, including SMU availability.
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Source
This vulnerability was found during the resolution of a Cisco TAC support case.
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
{
"document": {
"acknowledgments": [
{
"summary": "This vulnerability was found during the resolution of a Cisco TAC support case."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "A vulnerability in the DHCP version 4 (DHCPv4) server feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to trigger a crash of the dhcpd process, resulting in a denial of service (DoS) condition.\r\n\r\nThis vulnerability exists because certain DHCPv4 messages are improperly validated when they are processed by an affected device. An attacker could exploit this vulnerability by sending a malformed DHCPv4 message to an affected device. A successful exploit could allow the attacker to cause a NULL pointer dereference, resulting in a crash of the dhcpd process. While the dhcpd process is restarting, which may take up to approximately two minutes, DHCPv4 server services are unavailable on the affected device. This could temporarily prevent network access to clients that join the network during that time period.\r\n\r\nNote: Only the dhcpd process crashes and eventually restarts automatically. The router does not reload.\r\n\r\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\r\n\r\nThis advisory is available at the following link:\r\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dhcp-dos-pjPVReLU [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dhcp-dos-pjPVReLU\"]\r\n\r\nThis advisory is part of the September 2021 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2021 Cisco IOS XR Software Security Advisory Bundled Publication [\"https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-74637\"].",
"title": "Summary"
},
{
"category": "general",
"text": "At the time of publication, this vulnerability affected the following Cisco products if they were running Cisco IOS XR Software releases 6.7.2 and later, 7.1.2 and later, or 7.2.1 and later but earlier than Release 7.3.2 or earlier than Release 7.4.1 and had the DHCPv4 server feature or the DHCPv4 proxy feature enabled:\r\n\r\nASR 9000 Series Aggregation Services Routers\r\nIOS XRv 9000 Routers\r\nNetwork Convergence System (NCS) 540 Series Routers\r\nNCS 560 Series Routers\r\nNCS 5000 Series Routers\r\nNCS 5500 Series Routers\r\n\r\nSee the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.\r\n Determine the DHCPv4 Configuration\r\nTo determine whether the DHCPv4 server feature or the DHCPv4 proxy feature is enabled on a device, run the show running-config dhcp ipv4 command in privileged EXEC mode on the device CLI and check for a server profile that is either directly or indirectly (through a base profile) bound to at least one interface.\r\n\r\nThe following example shows the output of the show running-config dhcp ipv4 command on a device that has the DHCPv4 server profile TEST directly bound to interface GigabitEthernet0/0/0/0:\r\n\r\n\r\ndhcp ipv4\r\n profile TEST server\r\n.\r\n.\r\n.\r\n !\r\n interface GigabitEthernet0/0/0/0 server profile TEST\r\n\r\nThe following example shows the output of the show running-config dhcp ipv4 command on a device that has the DHCPv4 server profiles DHCP_SERVER and DEFAULT_PROFILE indirectly bound to interface GigabitEthernet0/0/0/0 through base profile DHCP_BASE:\r\n\r\n\r\ndhcp ipv4\r\n profile DHCP_BASE base\r\n match option 60 41424355 profile DHCP_SERVER server\r\n default profile DEFAULT_PROFILE server\r\n.\r\n.\r\n.\r\n!\r\n profile DHCP_SERVER server\r\n.\r\n.\r\n.\r\n !\r\n profile DEFAULT_PROFILE server\r\n.\r\n.\r\n.\r\n !\r\n interface GigabitEthernet0/0/0/0 base profile DHCP_BASE\r\n\r\nThe following example shows the output of the show running-config dhcp ipv4 command on a device that has the DHCPv4 proxy profile PROXY directly bound to interface GigabitEthernet0/0/0/0:\r\n\r\n\r\ndhcp ipv4\r\n profile PROXY proxy\r\n helper-address vrf default 192.168.23.7 giaddr 192.168.23.11\r\n !\r\n interface GigabitEthernet0/0/0/0 proxy profile PROXY",
"title": "Vulnerable Products"
},
{
"category": "general",
"text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.\r\n\r\nCisco has confirmed that this vulnerability does not affect the following Cisco products:\r\n\r\nIOS Software\r\nIOS XE Software\r\nNX-OS Software",
"title": "Products Confirmed Not Vulnerable"
},
{
"category": "general",
"text": "There are no workarounds that address this vulnerability.",
"title": "Workarounds"
},
{
"category": "general",
"text": "When considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\r\n Fixed Releases\r\nAt the time of publication, the following Cisco IOS XR Software releases contained the fix for this vulnerability:\r\n\r\n7.3.2 and later\r\n7.4.1 and later\r\n\r\nCisco has released the following SMU to address this vulnerability. Customers who require SMUs for platforms or releases that are not listed are advised to contact their support organization.\r\n Cisco IOS XR Software Release Platform SMU Name 7.1.3 ASR9K-X64 asr9k-x64-7.1.3.CSCvw95930\r\nSee the Details section in the bug ID(s) at the top of this advisory for the most complete and current information, including SMU availability.",
"title": "Fixed Software"
},
{
"category": "general",
"text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
"title": "Vulnerability Policy"
},
{
"category": "general",
"text": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.",
"title": "Exploitation and Public Announcements"
},
{
"category": "general",
"text": "This vulnerability was found during the resolution of a Cisco TAC support case.",
"title": "Source"
},
{
"category": "legal_disclaimer",
"text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
"title": "Legal Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",
"issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
"name": "Cisco",
"namespace": "https://wwww.cisco.com"
},
"references": [
{
"category": "self",
"summary": "Cisco IOS XR Software DHCP Version 4 Server Denial of Service Vulnerability",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dhcp-dos-pjPVReLU"
},
{
"category": "external",
"summary": "Cisco Event Response: September 2021 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication",
"url": "https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-74637"
},
{
"category": "external",
"summary": "Cisco Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dhcp-dos-pjPVReLU",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dhcp-dos-pjPVReLU"
},
{
"category": "external",
"summary": "Cisco\u0026nbsp;Event Response: September 2021 Cisco\u0026nbsp;IOS XR Software Security Advisory Bundled Publication",
"url": "https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-74637"
},
{
"category": "external",
"summary": "considering software upgrades",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
},
{
"category": "external",
"summary": "Cisco\u0026nbsp;Security Advisories page",
"url": "https://www.cisco.com/go/psirt"
},
{
"category": "external",
"summary": "Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
}
],
"title": "Cisco IOS XR Software DHCP Version 4 Server Denial of Service Vulnerability",
"tracking": {
"current_release_date": "2021-10-20T17:55:23+00:00",
"generator": {
"date": "2022-10-22T03:12:30+00:00",
"engine": {
"name": "TVCE"
}
},
"id": "cisco-sa-iosxr-dhcp-dos-pjPVReLU",
"initial_release_date": "2021-09-08T16:00:00+00:00",
"revision_history": [
{
"date": "2021-09-08T15:43:07+00:00",
"number": "1.0.0",
"summary": "Initial public release."
},
{
"date": "2021-10-20T17:55:23+00:00",
"number": "1.1.0",
"summary": "Clarified vulnerable releases."
}
],
"status": "final",
"version": "1.1.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_family",
"name": "Cisco IOS XR Software",
"product": {
"name": "Cisco IOS XR Software ",
"product_id": "CSAFPID-5834"
}
}
],
"category": "vendor",
"name": "Cisco"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-34737",
"ids": [
{
"system_name": "Cisco Bug ID",
"text": "CSCvw95930"
}
],
"notes": [
{
"category": "other",
"text": "Complete.",
"title": "Affected Product Comprehensiveness"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5834"
]
},
"release_date": "2021-09-08T16:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Cisco has released software updates that address this vulnerability.",
"product_ids": [
"CSAFPID-5834"
],
"url": "https://software.cisco.com"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-5834"
]
}
],
"title": "Cisco IOS XR Software DHCP Denial of Service Vulnerability"
}
]
}
Loading...