From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 16 Jul 2006 12:51:54 +0200
Subject: [NEWS] Cisco Intrusion Prevention System Malformed Packet Denial of Service
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060716110354.F30155804@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco Intrusion Prevention System Malformed Packet Denial of Service
------------------------------------------------------------------------
SUMMARY
Successful exploitation of the vulnerability may result in the failure of
an IPS device to operate as expected. Affected devices will become
inaccessible remotely or via the console and stop processing packets. If
deployed as an inline device, an IPS device will stop forwarding packets,
including devices configured to use the auto-bypass feature. This may
result in a network outage. A power reset is required to recover the IPS
device.
DETAILS
Vulnerable Systems:
* IDS-4235
* IPS-4240
* IDS-4250-SX
* IDS-4250-TX
* IDS-4250-XL (4250 with XL accelerator card)
* IPS-4255
Immune Systems:
* NM-CIDS
* IDSM-2
* ASA-SSM-AIP-10
* ASA-SSM-AIP-20
* IDS-4210
* IDS-4215
* IDS-4220
* IDS-4230
Cisco Intrusion Prevention Systems (IPS) are a family of network security
devices that provide network based threat prevention services. A
vulnerability exists in the custom device driver for Intel-based gigabit
network adapters used to process packets received by the sensing
interfaces of certain IPS devices. A malformed IP packet received on an
Intel-based gigabit network adapter configured for use as a sensing
interface may result in the IPS device experiencing a kernel panic.
Affected IPS devices will cease processing packets, producing alerts,
performing automated actions such as logging, and become inaccessible
remotely or via the console.
If deployed as an inline device, the IPS will also stop forwarding packets
between interfaces and may cause a network outage. IPS devices configured
to use the auto-bypass feature will also fail to forward packets.
Attackers may use this vulnerability to disable an IPS device to hide
malicious activity. This vulnerability only affects certain IPS devices
configured to use Intel-based gigabit network adapters as sensing
interfaces. IPS devices configured to use an Intel-based gigabit network
adapter as a management interface are not affected by this vulnerability.
A power reset is required to recover the IPS device.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Security.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20060712-ips.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20060712-ips.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
