Cisco Network Products Affected By Bug

December 30, 2018
Cisco Network Products

Cisco is currently looking into its product line to determine which products and services use Linux kernel 3.9 or above, which is vulnerable to the FragmentSmack denial-of-service (DoS) bug.

 The networking hardware manufacturer already assembled a list of more than 80 products that are affected by the vulnerability. Many of them expect a fix by February 2019.

The products currently under investigation are from the routing and switching category, designed for enterprises and service providers. More specifically, the company is looking at the Application Policy Infrastructure Controller Enterprise Module (APIC-EM).

APIC-EM delivers software-defined networking and allows automation of policy-based application profile for quick deployment of devices across the network or adapt to new challenges.

Workarounds and mitigation solutions

Until a patch becomes available, Cisco recommends customers check the product-specific documentation for possible workarounds.

Administrators may be able to use rate limiting measures, like access control lists (ACL), to control the stream of fragmented packets reaching an interface.

In an advisory on Monday, Cisco reminds that off-device mitigations could also be a valid solution for controlling the flow of IP fragments.

FragmentSmack is not a Linux-only threat

Identified as CVE-2018-5391, FragmentSmack allows an unauthenticated attacker to increase CPU usage to maximum on an affected machine, rendering it unresponsive.

This is possible because of the inefficient algorithms available in the IP stack the Linux kernel uses for the reassembly of IPv4 or IPv6 packets.

Although the bug was first discovered on Linux, along with its sibling SegmentSmack, which relies on crafted TCP packets to trigger a DoS condition, FragmentSmack affects Windows operating systems, too. Patches are currently available for both Linux and Windows.

Systems under a DoS attack with FragmentedSmack are inoperable for the duration of the assault. As soon as the packet stream stops, the operating system returns to its normal functioning state.

Some of the routing and networking equipment currently identified as vulnerable include:

 

  • Cisco Cloud Services Platform 2100
  • Cisco Tetration Analytics
  • Cisco vEdge 100 Series Routers
  • Cisco vEdge 1000 Series Routers
  • Cisco vEdge 2000 Series Routers
  • Cisco vEdge 5000 Series Routers
  • Cisco vEdge Cloud Router Platform
  • Cisco ACI Virtual EdgeCisco Application Policy Infrastructure Controller (APIC)
  • Cisco DNA Center
  • Cisco IOS XE Software
  • Cisco IOx Fog Director
  • Cisco MDS 9000 Series Multilayer Switches
  • Cisco Network Assurance Engine
  • Cisco Nexus 3000 Series Switches
  • Cisco Nexus 7000 Series Switches
  • Cisco Nexus 9000 Series Fabric Switches – ACI mode
  • Cisco Nexus 9000 Series Switches – Standalone, NX-OS mode
  • Cisco ACI Virtual Edge
  • Cisco Application Policy Infrastructure Controller (APIC)
  • Cisco DNA CenterCisco IOS XE Software
  • Cisco IOx Fog Director
  • Cisco MDS 9000 Series Multilayer Switches
  • Cisco Network Assurance Engine
  • Cisco Nexus 3000 Series Switches
  • Cisco Nexus 7000 Series Switches
  • Cisco Nexus 9000 Series Fabric Switches – ACI mode
  • Cisco Nexus 9000 Series Switches – Standalone, NX-OS mode
  • Cisco Aironet 1560 Series Access Points
  • Cisco Aironet 1815 Series Access Points
  • Cisco Aironet 2800 Series Access Points
  • Cisco Aironet 3800 Series Access Points
  • Cisco Mobility Services EngineCisco Wireless LAN Controller

 

About the author

Leave a Reply