Home / vulnerabilities

PDF

cisco-sa-20090325-sip.txt

Posted on 26 March 2009
Source : packetstormsecurity.org Link

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco IOS Software Session Initiation
Protocol Denial of Service Vulnerability

Advisory ID: cisco-sa-20090325-sip

http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml

Revision 1.0

For Public Release 2009 March 25 1600 UTC (GMT)

- ---------------------------------------------------------------------

Summary
=======

A vulnerability exists in the Session Initiation Protocol (SIP)
implementation in Cisco IOS Software that can be exploited remotely
to cause a reload of the Cisco IOS device.

Cisco has released free software updates that address this
vulnerability. There are no workarounds available to mitigate the
vulnerability apart from disabling SIP, if the Cisco IOS device does
not need to run SIP for VoIP services. However, mitigation techniques
are available to help limit exposure to the vulnerability.

This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml

Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.

http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml

Individual publication links are listed below:

* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml

* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml

* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml

* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml

* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml

* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml

* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml

* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml

Affected Products
=================

This vulnerability only affects devices running Cisco IOS Software
with SIP voice services enabled.

Vulnerable Products
+------------------

Cisco devices running affected Cisco IOS Software versions that
process SIP messages are affected. The only requirement for this
vulnerability is that the Cisco IOS device process SIP messages as
part of configured VoIP functionality. Note that this does not apply
to the processing of SIP messages as part of the NAT and firewall
feature sets.

Recent versions of Cisco IOS Software do not process SIP messages by
default. Creating a dial peer by way of the command dial-peer voice
will start the SIP processes and cause the Cisco IOS device to start
processing SIP messages. In addition, several features within Cisco
Unified Communications Manager Express, such as ePhones, once
configured will also automatically start the SIP process, which will
cause the device to start processing SIP messages. An example of an
affected configuration is as follows:

dial-peer voice <Voice dial-peer tag> voip
...
!

Note: Older versions of Cisco IOS Software were affected by a bug
that caused Cisco IOS Software to process SIP messages without being
configured for SIP operation. Refer to http://www.cisco.com/warp/
public/707/cisco-sa-20070131-sip.shtml for additional information on
Cisco bug ID CSCsb25337.

In addition to inspecting the Cisco IOS device configuration for a
dial-peer command that causes the device to process SIP messages,
administrators can also use the command show processes | include SIP
to determine whether Cisco IOS Software is running the processes that
handle SIP messages. In the following example, the presence of the
processes CCSIP_UDP_SOCKET and CCSIP_TCP_SOCKET indicates that the
Cisco IOS device is processing SIP messages:

Router#show processes | include SIP
147 Mwe 40F46DF4 12 2 600023468/24000 0 CCSIP_SPI_CONTRO
148 Mwe 40F21244 0 1 0 5524/6000 0 CCSIP_DNS
149 Mwe 40F48254 4 1 400023108/24000 0 CCSIP_UDP_SOCKET
150 Mwe 40F48034 4 1 400023388/24000 0 CCSIP_TCP_SOCKET

Warning: Since there are several ways a device running Cisco IOS
Software can start processing SIP messages, it is recommended that
the show processes | include SIP command be used to determine whether
the device is processing SIP messages instead of relying on the
presence of specific configuration commands.

To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.

The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:

Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih

!--- output truncated


The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:

Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team

!--- output truncated


Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html

Products Confirmed Not Vulnerable
+--------------------------------

The SIP Application Layer Gateway (ALG), which is used by the Cisco
IOS NAT and firewall features of Cisco IOS Software, is not affected
by this vulnerability.

Cisco devices that are running Cisco IOS XE Software and Cisco IOS XR
Software are not affected.

No other Cisco products are currently known to be affected by this
vulnerability.

Details
=======

SIP is a popular signaling protocol that is used to manage voice and
video calls across IP networks such as the Internet. SIP is
responsible for handling all aspects of call setup and termination.
Voice and video are the most popular types of sessions that SIP
handles, but the protocol has the flexibility to accommodate other
applications that require call setup and termination. SIP call
signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port
5061) as the underlying transport protocol.

A denial of service (DoS) vulnerability exists in the SIP
implementation in Cisco IOS Software. This vulnerability is triggered
by processing a specific and valid SIP message.

This vulnerability is documented in Cisco Bug ID CSCsu11522 and has
been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2009-0636.

Note: The vulnerabilities described in the advisories Cisco IOS
Software Multiple Features IP Sockets Vulnerability and Cisco IOS
Software Multiple Features Crafted UDP Packet Vulnerability, both
part of this bundle of Cisco IOS advisories, may also impact SIP
operations.

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss

CSCsu11522 - A voice gateway may crash when processing valid SIP

CVSS Base Score - 7.8

Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete

CVSS Temporal Score - 6.4

Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed

Impact
======

Successful exploitation of the vulnerability described in this
document may result in a reload of the device. The issue could be
repeatedly exploited to cause an extended DoS condition.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.

Note: In addition to CSCsu11522 and because of its impact on SIP
operation, this table of fixed software takes into consideration the
vulnerability tracked by Cisco Bug CSCsk64158 , from "Cisco Security
Advisory: Crafted UDP Packet Affects Multiple Cisco IOS Features"
(http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml)
The table does not take into consideration the vulnerability
disclosed by "Cisco Security Advisory: Cisco IOS IP Sockets
Vulnerability Affecting Multiple Cisco IOS Features", which may
impact SIP over TLS.

+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0DA | Vulnerable; first fixed in 12.2DA | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0DB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0DC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0S | 12.0(32)S12 | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SC | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SL | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0SP | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0ST | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SX | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| 12.0SY | 12.0(32)SY8 | 12.0(32)SY8 |
|------------+-------------------------------------+----------------|
| 12.0SZ | Vulnerable; first fixed in 12.0S | 12.0(32)S12 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0T | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0W | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.0WC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.0WT | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.0XF | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XG | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Releases prior to 12.0(4)XI2 are | 12.4(18e) |
| | vulnerable, release 12.0(4)XI2 and | |
| 12.0XI | later are not vulnerable; first | 12.4(23a); |
| | fixed in 12.4 | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XJ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XK | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XL | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XM | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XN | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XQ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XS | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XT | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.0XV | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.1AA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1AX | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.1(22)EA13 |
| 12.1AY | Vulnerable; first fixed in 12.1EA | |
| | | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.1(22)EA13 |
| 12.1AZ | Vulnerable; first fixed in 12.1EA | |
| | | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.1CX | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1DA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1DB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1DC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1E | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.1EA | 12.1(22)EA13 | 12.1(22)EA13 |
|------------+-------------------------------------+----------------|
| 12.1EB | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SCB1 |
| 12.1EC | Vulnerable; first fixed in 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| 12.1EO | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1EU | Vulnerable; first fixed in 12.2SG | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.1EV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1EW | Vulnerable; migrate to 12.2SGA | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1EX | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.1EY | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.1EZ | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1GA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1GB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1T | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XF | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XG | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XI | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XJ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XL | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XM | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XP | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XQ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XS | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XT | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XU | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XV | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XW | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XX | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XY | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1XZ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Releases prior to 12.1(5)YE6 are | 12.4(18e) |
| | vulnerable, release 12.1(5)YE6 and | |
| 12.1YE | later are not vulnerable; first | 12.4(23a); |
| | fixed in 12.4 | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YF | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.1YH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.1YI | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.1(22)EA13 |
| 12.1YJ | Vulnerable; first fixed in 12.1EA | |
| | | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2 | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2B | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2BC | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2BW | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2BX | Vulnerable; migrate to 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2BY | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2BZ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2CX | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2CY | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| 12.2CZ | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | 12.2(12)DA14; Available on | |
| 12.2DA | 30-JUL-2009 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2DD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2DX | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2EW | Vulnerable; first fixed in 12.2SG | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.2EWA | Vulnerable; first fixed in 12.2SG | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.2EX | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2EY | 12.2(44)EY | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2EZ | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2FX | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2FY | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2FZ | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| 12.2IRA | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| 12.2IRB | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXA | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXB | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXC | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXD | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXE | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXF | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to any release | 12.2(18)IXH; |
| 12.2IXG | in 12.2IXH | Available on |
| | | 31-MAR-2009 |
|------------+-------------------------------------+----------------|
| 12.2JA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2JK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2MB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2MC | 12.2(15)MC2m | 12.2(15)MC2m |
|------------+-------------------------------------+----------------|
| 12.2S | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | 12.2(28)SB13 | |
| | | |
| 12.2SB | 12.2(31)SB14 | 12.2(33)SB4 |
| | | |
| | 12.2(33)SB3 | |
|------------+-------------------------------------+----------------|
| 12.2SBC | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.2SCA | Vulnerable; first fixed in 12.2SCB | 12.2(33)SCB1 |
|------------+-------------------------------------+----------------|
| 12.2SCB | 12.2(33)SCB1 | 12.2(33)SCB1 |
|------------+-------------------------------------+----------------|
| | 12.2(50)SE | |
| | | |
| 12.2SE | 12.2(46)SE2 | 12.2(44)SE6 |
| | | |
| | 12.2(44)SE5 | |
|------------+-------------------------------------+----------------|
| 12.2SEA | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEB | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEC | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SED | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEE | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEF | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| 12.2SEG | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+-------------------------------------+----------------|
| | | 12.2(52)SG; |
| 12.2SG | 12.2(50)SG | Available on |
| | | 15-MAY-2009 |
|------------+-------------------------------------+----------------|
| 12.2SGA | 12.2(31)SGA9 | 12.2(31)SGA9 |
|------------+-------------------------------------+----------------|
| 12.2SL | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2SM | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SO | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SQ | 12.2(44)SQ1 | |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRD1 |
| | | |
| 12.2SRA | Vulnerable; first fixed in 12.2SRC | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| | | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
| | | |
| 12.2SRB | Vulnerable; first fixed in 12.2SRC | 12.2(33)SRD1 |
| | | |
| | | 12.2(33)SRB5a; |
| | | Available on |
| | | 3-April-2009 |
|------------+-------------------------------------+----------------|
| | 12.2(33)SRC4; Available on | 12.2(33)SRC4; |
| 12.2SRC | 18-MAY-2009 | Available on |
| | | 18-MAY-2009 |
|------------+-------------------------------------+----------------|
| 12.2SRD | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2STE | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(22)T1 |
| | | |
| 12.2SU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2SV | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVA | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVD | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SVE | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SW | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| 12.2SX | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXA | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXB | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXD | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXE | Vulnerable; first fixed in 12.2SXF | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| 12.2SXF | 12.2(18)SXF16 | 12.2(18)SXF16 |
|------------+-------------------------------------+----------------|
| | 12.2(33)SXH5; Available on | 12.2(33)SXH5; |
| 12.2SXH | 20-APR-2009 | Available on |
| | | 20-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2SXI | Not Vulnerable | |
|------------+-------------------------------------+----------------|
| 12.2SY | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| 12.2SZ | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2T | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| 12.2TPC | Vulnerable; contact TAC | |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XA | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XB | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XC | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XD | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XE | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | Vulnerable; migrate to 12.2SCB or | 12.2(33)SCB1 |
| 12.2XF | 12.3BC | |
| | | 12.3(23)BC6 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XG | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XH | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XI | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XJ | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XK | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XL | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+-------------------------------------+----------------|
| | | 12.4(18e) |
| | | |
| 12.2XM | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|-----------

 

TOP