—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgende Warnung von Ciscos Product Security
Incident Response Team (PSIRT). Wir geben diese Informationen
unveraendert an Sie weiter.
CVE-2010-2830 – Schwachstelle in der Cisco IOS IGMP-Implementierung
Ein fehlgeformtes Paket im Format des Internet Group Management
Protokolls (IGMP) kann ein Cisco IOS Geraet zum Neustart zwingen. Ein
Angreifer kann diese Schwachstelle fuer einen Denial of Service Angriff
ausnutzen. Voraussetzung ist, dass ein Interface des Routers fuer IGMP
Version 3 und Protocol Independent Multicast (PIM) aktiviert ist und
ein IGMP-Paket an eine beliebige IP des Routers gesendet werden kann.
Betroffen sind die folgenden Software Pakete und Plattformen:
Cisco IOS und Cisco IOS XE Software mit einem Interface, das fuer IGMP
Version 3 und Protocol Independent Multicast (PIM) aktiviert ist. Fuer
die Liste der betroffenen und nicht betroffenen IOS und IOS XE
Versionen verweisen wir auf das Cisco Advisory.
Cisco IOS Software
Cisco IOS XE Software
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Jan Kohlrausch (CSIRT), Phone +49 40 808077-555
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
CarmentiS – Early Warning Expertise
https://www.carmentis.org
– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Internet Group Management
Protocol Denial of Service Vulnerability
Advisory ID: cisco-sa-20100922-igmp
http://www.cisco.com/warp/public/707/cisco-sa-20100922-igmp.shtml
Revision 1.0
For Public Release 2010 September 22 1600 UTC (GMT)
– – ———————————————————————
Summary
=======
A vulnerability in the Internet Group Management Protocol (IGMP)
version 3 implementation of Cisco IOS Software and Cisco IOS XE
Software allows a remote unauthenticated attacker to cause a reload
of an affected device. Repeated attempts to exploit this
vulnerability could result in a sustained denial of service (DoS)
condition. Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100922-igmp.shtml
Note: The September 22, 2010, Cisco IOS Software Security Advisory
bundled publication includes six Cisco Security Advisories. Five of
the advisories address vulnerabilities in Cisco IOS Software, and one
advisory addresses vulnerabilities in Cisco Unified Communications
Manager. Each advisory lists the releases that correct the
vulnerability or vulnerabilities detailed in the advisory. The table
at the following URL lists releases that correct all Cisco IOS
Software vulnerabilities that have been published on September 22,
2010, or earlier:
http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml
Individual publication links are in “Cisco Event Response: Semiannual
Cisco IOS Software Security Advisory Bundled Publication” at the
following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html
Affected Products
=================
Vulnerable Products
+——————
The following products are affected by this vulnerability:
* Cisco IOS Software
* Cisco IOS XE Software
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue
the show version command to display the system banner. The system
banner confirms that the device is running Cisco IOS Software by
displaying text similar to “Cisco Internetwork Operating System
Software” or “Cisco IOS Software.” The image name displays in
parentheses, followed by “Version” and the Cisco IOS Software
release name. Other Cisco devices do not have the show version
command or may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name
of C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
Additional information about Cisco IOS Software release naming
conventions is available in White Paper: Cisco IOS and NX-OS
Software Reference Guide.
Products Confirmed Not Vulnerable
+——————————–
No other Cisco products are currently known to be affected by this
vulnerability. Cisco IOS XR Software is not affected by this
vulnerability.
The IGMP version 1, IGMP version 2, and IPv6 Multicast Listener
Discovery protocol (MLD) features in Cisco IOS and Cisco IOS XE
Software are not affected by this vulnerability.
Details
=======
Internet Group Management Protocol (IGMP) is the protocol used by
hosts and adjacent routers to manage membership in IP multicast
groups. The IGMP version 3 protocol permits source-specific multicast
which allows hosts to specify the IP address of the multicast source.
A malformed IGMP packet can cause a vulnerable device to reload. This
vulnerability can only be exploited if the malformed IGMP packet is
received on an interface that has been enabled for IGMP version 3 and
Protocol Independent Multicast (PIM). The malformed IGMP packet
destination address can be unicast, multicast, or broadcast and can
be addressed to any IP address in the vulnerable device, including
loopback addresses.
To exploit this vulnerability, a malformed packet must be received on
a vulnerable interface, but it can be addressed to any IP address on
the vulnerable device.
Transit traffic will not trigger this vulnerability.
A vulnerable interface configuration requires the PIM mode of
operation (sparse-dense, sparse, or dense) to be configured in
addition to the ip igmp version 3 command. The three possible
configurations that permit exploitation of this vulnerability are:
!— Interface configured for PIM sparse and IGMPv3
interface GigabitEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip pim sparse-mode
ip igmp version 3
!— Interface configured for PIM sparse-dense and IGMPv3
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip pim sparse-dense-mode
ip igmp version 3
!— Interface configured for PIM dense and IGMPv3
interface GigabitEthernet0/2
ip address 192.168.2.1 255.255.255.0
ip pim dense-mode
ip igmp version 3
The IGMP version 3 lite feature is unrelated to this vulnerability,
in that the presence or absence of the ip igmp v3lite command on an
interface does not change the vulnerable condition of that interface.
The IP router alert option may or may not be present in packets
attempting to exploit the vulnerability described in this document.
This vulnerability is documented in Cisco bug ID CSCte14603 (
registered customers only) . This vulnerability has been assigned
Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2830.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCte14603 – IGMPv3 DoS Vulnerability
CVSS Base Score – 7.1
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score – 5.9
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of this vulnerability may cause the affected
device vulnerable device to reload. Repeated exploitation may result
in a sustained DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release For This Advisory column. The First Fixed Release for All
Advisories in the September 2010 Bundle Publication column lists the
earliest possible releases that correct all the published
vulnerabilities in the Cisco IOS Software Security Advisory bundled
publication. Cisco recommends upgrading to the latest available
release, where possible.
+——————————————————————-+
| Major | Availability of Repaired Releases |
| Release | |
|————+——————————————————|
| Affected | | First Fixed Release for |
| 12.0-Based | First Fixed Release for | All Advisories in the |
| Releases | This Advisory | September 2010 Bundle |
| | | Publication |
|——————————————————————-|
| There are no affected 12.0 based releases |
|——————————————————————-|
| Affected | | First Fixed Release for |
| 12.1-Based | First Fixed Release for | All Advisories in the |
| Releases | This Advisory | September 2010 Bundle |
| | | Publication |
|——————————————————————-|
| There are no affected 12.1 based releases |
|——————————————————————-|
| Affected | | First Fixed Release for |
| 12.2-Based | First Fixed Release for | All Advisories in the |
| Releases | This Advisory | September 2010 Bundle |
| | | Publication |
|————+————————–+—————————|
| 12.2 | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| | | Vulnerable; first fixed |
| | | in 12.4T |
| 12.2B | Not Vulnerable | |
| | | Releases up to and |
| | | including 12.2(2)B7 are |
| | | not vulnerable. |
|————+————————–+—————————|
| 12.2BC | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2BW | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| | | Vulnerable; first fixed |
| | | in 12.2SB |
| 12.2BX | Not Vulnerable | |
| | | Releases up to and |
| | | including 12.2(15)BX are |
| | | not vulnerable. |
|————+————————–+—————————|
| | | Vulnerable; first fixed |
| | | in 12.4T |
| 12.2BY | Not Vulnerable | |
| | | Releases up to and |
| | | including 12.2(2)BY3 are |
| | | not vulnerable. |
|————+————————–+—————————|
| 12.2BZ | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2CX | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2CY | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2CZ | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.2DA | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2DD | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2DX | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2EW | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2EWA | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2EX | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2EY | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2EZ | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2FX | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2FY | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2FZ | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IRA | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IRB | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IRC | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IRD | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IRE | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXA | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXB | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXC | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXD | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXE | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXF | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXG | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXH | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.2JA | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2JK | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2MB | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| | | Releases up to and |
| | | including 12.2(15)MC1 are |
| 12.2MC | Not Vulnerable | not vulnerable. Releases |
| | | 12.2(15)MC2b and later |
| | | are not vulnerable; first |
| | | fixed in 12.4T |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2MRA | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.2MRB | Not Vulnerable | 12.2(33)MRB2 |
|————+————————–+—————————|
| | | Releases prior to 12.2 |
| 12.2S | Not Vulnerable | (30)S are vulnerable, |
| | | release 12.2(30)S and |
| | | later are not vulnerable |
|————+————————–+—————————|
| | | 12.2(31)SB19; Releases |
| | | prior to 12.2(33)SB5 are |
| 12.2SB | Not Vulnerable | vulnerable, release 12.2 |
| | | (33)SB5 and later are not |
| | | vulnerable |
|————+————————–+—————————|
| 12.2SBC | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.2SB |
|————+————————–+—————————|
| 12.2SCA | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.2SCB |
|————+————————–+—————————|
| 12.2SCB | Not Vulnerable | 12.2(33)SCB9 |
|————+————————–+—————————|
| 12.2SCC | Not Vulnerable | 12.2(33)SCC5 |
|————+————————–+—————————|
| 12.2SCD | Not Vulnerable | 12.2(33)SCD3 |
|————+————————–+—————————|
| 12.2SE | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SEA | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SEB | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SEC | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SED | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SEE | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SEF | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SEG | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| | | Releases prior to 12.2 |
| | | (40)SG are vulnerable, |
| 12.2SG | Not Vulnerable | release 12.2(40)SG and |
| | | later are not vulnerable; |
| | | migrate to any release in |
| | | 12.2SGA |
|————+————————–+—————————|
| 12.2SGA | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SL | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SM | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SO | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SQ | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| | | Releases prior to 12.2 |
| 12.2SRA | Not Vulnerable | (33)SRA6 are vulnerable, |
| | | release 12.2(33)SRA6 and |
| | | later are not vulnerable |
|————+————————–+—————————|
| | | Releases prior to 12.2 |
| 12.2SRB | Not Vulnerable | (33)SRB1 are vulnerable, |
| | | release 12.2(33)SRB1 and |
| | | later are not vulnerable |
|————+————————–+—————————|
| 12.2SRC | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SRD | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SRE | 12.2(33)SRE1 | 12.2(33)SRE1 |
|————+————————–+—————————|
| 12.2STE | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SU | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| | | Releases prior to 12.2 |
| | | (29b)SV1 are vulnerable, |
| 12.2SV | Not Vulnerable | release 12.2(29b)SV1 and |
| | | later are not vulnerable; |
| | | migrate to any release in |
| | | 12.2SVD |
|————+————————–+—————————|
| 12.2SVA | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SVC | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SVD | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SVE | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| | | Releases up to and |
| | | including 12.2(21)SW1 are |
| 12.2SW | Not Vulnerable | not vulnerable. Releases |
| | | 12.2(25)SW12 and later |
| | | are not vulnerable; first |
| | | fixed in 12.4T |
|————+————————–+—————————|
| | | Releases up to and |
| 12.2SX | Not Vulnerable | including 12.2(14)SX2 are |
| | | not vulnerable. |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2SXA | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2SXB | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2SXD | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2SXE | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Releases prior to 12.2 |
| | | (18)SXF11 are vulnerable, |
| 12.2SXF | Not Vulnerable | releases 12.2(18)SXF11 |
| | | and later are not |
| | | vulnerable |
|————+————————–+—————————|
| 12.2SXH | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SXI | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2SY | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2SZ | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.2T | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2TPC | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.2XA | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XB | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XC | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XD | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XE | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2XF | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2XG | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XH | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XI | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XJ | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XK | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XL | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XM | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XN | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.2SB |
|————+————————–+—————————|
| 12.2XNA | Please see Cisco IOS-XE | Please see Cisco IOS-XE |
| | Software Availability | Software Availability |
|————+————————–+—————————|
| 12.2XNB | Please see Cisco IOS-XE | Please see Cisco IOS-XE |
| | Software Availability | Software Availability |
|————+————————–+—————————|
| 12.2XNC | Please see Cisco IOS-XE | Please see Cisco IOS-XE |
| | Software Availability | Software Availability |
|————+————————–+—————————|
| 12.2XND | Please see Cisco IOS-XE | Please see Cisco IOS-XE |
| | Software Availability | Software Availability |
|————+————————–+—————————|
| 12.2XNE | Please see Cisco IOS-XE | Please see Cisco IOS-XE |
| | Software Availability | Software Availability |
|————+————————–+—————————|
| 12.2XNF | Please see Cisco IOS-XE | Please see Cisco IOS-XE |
| | Software Availability | Software Availability |
|————+————————–+—————————|
| 12.2XO | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2XQ | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XR | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2XS | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XT | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XU | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XV | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2XW | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2YA | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YB | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YC | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YD | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YE | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YF | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.2YG | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YH | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YJ | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YK | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YL | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.2YM | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YN | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.2YO | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2YP | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2YQ | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2YR | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2YS | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YT | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YU | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Releases prior to 12.2 |
| 12.2YV | Not Vulnerable | (11)YV1 are vulnerable, |
| | | release 12.2(11)YV1 and |
| | | later are not vulnerable |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YW | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YX | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YY | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YZ | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.2ZA | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| | | Releases up to and |
| 12.2ZB | Not Vulnerable | including 12.2(8)ZB are |
| | | not vulnerable. |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZC | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZD | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.2ZE | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2ZF | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.2ZG | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.2ZH | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZJ | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZL | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZP | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZU | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.2ZX | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZY | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZYA | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| Affected | | First Fixed Release for |
| 12.3-Based | First Fixed Release for | All Advisories in the |
| Releases | This Advisory | September 2010 Bundle |
| | | Publication |
|————+————————–+—————————|
| 12.3 | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3B | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3BC | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.3BW | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.3EU | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.3JA | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.3JEA | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.3JEB | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.3JEC | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.3JED | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| | | Releases up to and |
| | | including 12.3(2)JK3 are |
| 12.3JK | Not Vulnerable | not vulnerable. Releases |
| | | 12.3(8)JK1 and later are |
| | | not vulnerable; first |
| | | fixed in 12.4T |
|————+————————–+—————————|
| 12.3JL | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| 12.3JX | Not Vulnerable | Not Vulnerable |
|————+————————–+—————————|
| | Vulnerable; first fixed | |
| | in 12.4 | |
| 12.3T | | Vulnerable; first fixed |
| | Releases up to and | in 12.4T |
| | including 12.3(11)T11 | |
| | are not vulnerable. | |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.3TPC | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.3VA | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3XA | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.3XB | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.3XC | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3XD | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3XE | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.3XF | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|————+————————–+—————————|
| 12.3XG | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| | | Releases prior to 12.3(7) |
| | | XI11 are vulnerable, |
| 12.3XI | Not Vulnerable | release 12.3(7)XI11 and |
| | | later are not vulnerable; |
| | | first fixed in 12.2SB |
|————+————————–+—————————|
| 12.3XJ | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4XR |
|————+————————–+—————————|
| 12.3XK | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3XL | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3XQ | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3XR | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3XS | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3XU | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3XW | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3XX | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3XY | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3XZ | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3YA | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3YD | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3YF | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4XR |
|————+————————–+—————————|
| 12.3YG | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3YH | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3YI | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3YJ | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|————+————————–+—————————|
| 12.3YK | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|————+————————–+—————————|
| 12.3YM | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T
