Nexpose Vulnerability Database
Cisco IOS Virtual Private Dial-up Network PPTP Denial of Service
Severity |
CVSS |
Published |
Added |
Modified |
|---|---|---|---|---|
| Severe (7) | 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) | Mar 26, 2008 | Jun 22, 2008 | Apr 7, 2011 |
Description:
Cisco IOS versions prior to 12.3, when configured for Virtual Private Dial-up Network (VPDN) support, are susceptible to a memory leak when handling PPTP session termination which may lead to a denial of service condition. An attacker could construct and send malicious PPTP packets to exhaust resources on the device and cause the Cisco IOS based router to stop servicing requests.
References:
- BID: http://www.securityfocus.com/bid/28460
- CERT: http://www.cert.org/advisories/TA08-087B.html
- CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1150
- CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1151
- OVAL: http://oval.mitre.org/oval/definitions/data/OVAL5287.html
- OVAL: http://oval.mitre.org/oval/definitions/data/OVAL5598.html
- SECUNIA: http://secunia.com/advisories/29507/
- URL: http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
- XF: http://xforce.iss.net/xforce/xfdb/41484
- XF: http://xforce.iss.net/xforce/xfdb/41483
Solution:
Upgrade to the latest version of Cisco IOS
Download and apply the upgrade from: http://www.cisco.com/univercd/cc/td/doc/product/software/
Upgrade to the latest version of Cisco IOS that your hardware supports. Upgrading IOS is often complicated by the fact that at any given time, Cisco is working on several different release trains simultaneously. Furthermore, upgrading to the latest version of IOS is not always possible without upgrading the router hardware (for example, adding memory). Consult Cisco's IOS support pages for more information the latest IOS releases. Please refer to http://www.cisco.com/warp/public/620/1.html for an explanation of the Cisco IOS versioning scheme.
It is possible to obtain custom-built IOS images via a Cisco support contract. The recommended method for obtaining updated IOS images is to record the results of the "show version" command on the router, and then to obtain a complete list of required fixes and bring this information to your Cisco support representative. Note that security fixes are not necessarily included in the latest releases -- you should specifically ask that the fixes be included in your image. Depending on your configuration, it may take several days to obtain an updated release that works for your hardware.
As of April 2011, the latest supported IOS releases are Cisco IOS 12.4 and 15.1, with the latest "T" family release being 12.4(24)T and 15.1(3)T respectively. Note: as release version 15 is considered a major upgrade, careful consideration should be made before upgrading.
Information on these pages is summary information extracted from the Nexpose Vulnerabilty Assessment system. Full details are provided within the Nexpose product for licensed users.
