12.3T
|------------+-------------+-------------|
| 12.0DB | 12.0(2)DB | 12.4(18b) |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.0DC | first fixed | 12.4(18b) |
| | in 12.3T | |
|------------+-------------+-------------|
| | 12.0(28)S1 | |
| | | |
| 12.0S | 12.0(32)S5 | |
| | | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.2SU | migrate to | 12.4(18a) |
| | any release | |
| | in 12.3T | |
|------------+-------------+-------------|
| 12.2SV | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.2SVA | Not | |
|------------+-------------+-------------|
| 12.3JX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3T | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3TPC | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| 12.3JL | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3JX | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3T | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.3TPC | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.3VA | Vulnerable; contact TAC | |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+---------------------------+--------------------------|
| | Vulnerable; migrate to | |
| | any release in 15.0M or a | Vulnerable; migrate to |
| 12.3T | fixed 12.4 release. | any release in 15.0M or |
| | Releases up to and | a fixed 12.4 release. |
| | including 12.3(4)T11 are | |
| | not vulnerable. | |
|------------+---------------------------+--------------------------|
| | | Vulnerable; Contact your |
|------------+---------------------------------------+--------------|
| 12.3JL | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3JX | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3T | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3TPC | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3VA | Not Vulnerable | |
|------------+---------------------------------------+--------------|
The WebVPN Enhancements feature (Cisco IOS SSLVPN), released in Cisco
IOS Release 12.4(6)T, obsoletes the commands and configurations
originally put forward in Cisco IOS WebVPN.
Further information about Cisco IOS WebVPN is available in the "Cisco
IOS Software Release 12.3T WebVPN feature guide" at the following
link:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/g_sslvpn.html
Further information about Cisco IOS SSLVPN is available in the "Cisco
IOS Software Release 12.4T SSLVPN feature guide" at the following
| 12.3JL | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3JX | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | Vulnerable; first fixed in 12.4 | 12.4(25b) |
| 12.3T | | |
| | Releases up to and including 12.3(8) | 12.4(23b) |
| | T11 are not vulnerable. | |
|------------+---------------------------------------+--------------|
| 12.3TPC | Not Vulnerable | |
|------------+---------------------------------------+--------------|
+----------------------------
Cisco IOS software versions that support Control Plane Policing
(CoPP) can be configured to help protect the device from attacks that
target the management and control planes. CoPP is available in Cisco
IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T.
In the following CoPP example, the ACL entries that match the exploit
packets with the permit action will be discarded by the policy-map
drop function, whereas packets that match a deny action (not shown)
are not affected by the policy-map drop function:
framework and complemented by Cisco IOS Flexible Packet Matching
feature, Cisco IOS IPS provides your network with the intelligence to
accurately identify, classify, and stop or block malicious traffic in
real time. Additional information on the Cisco IOS IPS feature can be
found at
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_fwids.html
Previous to the introduction of the Cisco IOS IPS feature, Cisco IOS
provided a similar feature, the Cisco IOS Intrusion Detection System
(IDS). The Cisco IOS IDS feature is not affected by this
vulnerability. Additional information on the Cisco IOS IDS feature
| 12.3JL | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3JX | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| | | 12.4(15)T7 |
| 12.3T | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|--------------+----------------------------------+-----------------|
| 12.3TPC | Not Vulnerable | |
|--------------+----------------------------------+-----------------|
| 12.3VA | Not Vulnerable | |
| 12.3JL | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3JX | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| | Note: Releases prior to 12.3(14)T3 | 12.4(15)T7 |
| 12.3T | are vulnerable, release 12.3(14)T3 | |
| | and later are not vulnerable; | 12.4(18c) |
|-------------+-------------------------------------+---------------|
| 12.3TPC | Not Vulnerable | |
|-------------+-------------------------------------+---------------|
| 12.3VA | Not Vulnerable | |
addresses. Unicast RPF should be considered to be used in conjunction
to offer a better mitigation solution.
Control Plane Policing (CoPP) can be used to block untrusted UDP
traffic to the device. Cisco IOS software releases 12.0S, 12.2SX,
12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can be
configured on a device to help protect the management and control
planes and minimize the risk and effectiveness of direct
infrastructure attacks by explicitly permitting only authorized
traffic that is sent to infrastructure devices in accordance with
existing security policies and configurations. The CoPP example below
|------------+-------------+-------------|
| 12.3JX | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(15) |
| 12.3T | first fixed | T812.4(23) |
| | in 12.4T | |
|------------+-------------+-------------|
| 12.3TPC | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
* Control Plane Policing
Control Plane Policing (CoPP) can be used to block L2TP access to
the device. Cisco IOS software releases 12.0S, 12.2SX, 12.2S,
12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can be
configured on a device to protect the management and control
planes and minimize the risk and effectiveness of direct
infrastructure attacks by explicitly permitting only authorized
traffic that is sent to infrastructure devices in accordance with
existing security policies and configurations. The CoPP example
| 12.3JX | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+---------------------------+--------------------------|
| | Vulnerable; migrate to | Vulnerable; migrate to |
| 12.3T | any release in 15.0M or a | any release in 15.0M or |
| | fixed 12.4 release. | a fixed 12.4 release. |
|------------+---------------------------+--------------------------|
| | | Vulnerable; Contact your |
| | Releases up to and | support organization per |
| 12.3TPC | including 12.3(4)TPC11a | the instructions in |
|------------+-------------+-------------|
| 12.3JX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | 12.4(19a) |
| 12.3T | first fixed | |
| | in 12.4 | 12.4(19b) |
|------------+-------------+-------------|
| 12.3TPC | Vulnerable; | |
| | contact TAC | |
|------------+-------------+-------------|
Views restrict user access to Cisco IOS command-line interface (CLI)
and configuration information; that is, a view can define what
commands are accepted and what configuration information is visible.
For more information about the Role-Based CLI Access feature,
reference
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
The server side of the SCP implementation in Cisco IOS software
contains a vulnerability that allows authenticated users with an
attached command-line interface (CLI) view to transfer files to and
from a Cisco IOS device that is configured to be a SCP server,
|--------------------+------------------------------+---------------|
| 12.3JL | Not Vulnerable | |
|--------------------+------------------------------+---------------|
| 12.3JX | Not Vulnerable | |
|--------------------+------------------------------+---------------|
| 12.3T | Not Vulnerable | |
|--------------------+------------------------------+---------------|
| 12.3TPC | Not Vulnerable | |
|--------------------+------------------------------+---------------|
| 12.3VA | Not Vulnerable | |
|--------------------+------------------------------+---------------|
|------------+-------------+-------------|
| 12.3JX | Not | |
| | Vulnerable | |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3T | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3TPC | 12.3(4) | |
| | TPC11b | |
|------------+-------------+-------------|
| 12.3JL | 12.3(2)JL2 | 12.3(2)JL4 |
|------------+-------------+-------------|
| 12.3JX | 12.3(7)JX9 | 12.3(7)JX10 |
|------------+-------------+-------------|
| | Vulnerable; | |
| 12.3T | first fixed | 12.4(18a) |
| | in 12.4 | |
|------------+-------------+-------------|
| 12.3TPC | 12.3(4) | |
| | TPC11b | |
|------------+-------------+-------------|
compatibility enabled
* 2.0: only SSH protocol version 2 is enabled
For more information about SSH versions in IOS, please check the
following URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ssh2.html
The SSH server is not available in all IOS images. Devices that do
not support SSH are not vulnerable. Please consult the table of fixed
software in the Software Version and Fixes section for the specific
12.4-based IOS releases that are affected.
(CoA) to establish a tunnel and traverse a NAT-enabled router with
mobile node (MN) data traffic from the home agent (HA).
More information on Mobile IP NAT Traversal feature can be found at
the following link:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gtnatmip.html
Devices that are running an affected version of Cisco IOS Software
and configured for Mobile IPv6 or Mobile IP NAT Traversal feature are
affected by a DoS vulnerability. A successful exploitation of this
vulnerability could cause an interface to stop processing traffic
| 12.3JL | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3JX | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | | 12.4(15)T7 |
| 12.3T | Vulnerable; first fixed in 12.4 | |
| | | 12.4(18c) |
|------------+---------------------------------------+--------------|
| 12.3TPC | Vulnerable; contact TAC | |
|------------+---------------------------------------+--------------|
| 12.3VA | Not Vulnerable | |
Control Plane Policing
+---------------------
Control Plane Policing (CoPP) can be used to block the affected
features TCP traffic access to the device. Cisco IOS software
releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the
CoPP feature. CoPP can be configured on a device to protect the
management and control planes and minimize the risk and effectiveness
of direct infrastructure attacks by explicitly permitting only
authorized traffic that is sent to infrastructure devices in
accordance with existing security policies and configurations. The
| 12.3JL | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| 12.3JX | Not Vulnerable | |
|------------+---------------------------------------+--------------|
| | | 12.4(25b) |
| 12.3T | Vulnerable; first fixed in 12.4 | |
| | | 12.4(23b) |
|------------+---------------------------------------+--------------|
| 12.3TPC | Releases up to and including 12.3(4) | |
| | TPC11a are not vulnerable. | |
|------------+---------------------------------------+--------------|
|
