2007-02-13 - Cisco - IOS IPS Vulnerabilities - IOS

versions 12.3(2)T, 12.3(4)T, and 12.3(7)T are NOT vulnerable

The Intrusion Prevention System (IPS) feature set of Cisco IOS® contains several vulnerabilities. These include:

* Fragmented IP packets may be used to evade signature inspection.
* IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service.

There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml.

Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based feature that enables Cisco IOS software to mitigate network attacks. Cisco IOS IPS enables the network to defend itself with the intelligence to identify, classify, and stop or block certain malicious or damaging traffic in real time. The IOS IPS feature set contains multiple vulnerabilities. Only IOS images containing the IPS feature set are affected by these vulnerabilities.
Fragmented Packet Evasion Vulnerability

Some of the IPS signatures utilize regular expressions. Due to a vulnerability, an attacker can evade those IPS signatures by sending malicious network traffic as IP fragments. This may result in potential malicious traffic bypassing signature inspection and possibly allow the exploitation of protected systems. IPS signatures which do not utilize regular expressions are not affected by this vulnerability. All IP protocols (e.g. TCP, UDP, ICMP) are affected by this vulnerability. There is a mitigation for this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsg15598 ( registered customers only) .
ATOMIC.TCP Regular Expression Denial of Service Vulnerability

Certain network traffic can trigger IPS signatures which use the regular expression feature of the ATOMIC.TCP signature engine which may cause the IOS IPS device to crash. This may cause a denial of service resulting in disruption network traffic. Signature 3123.0 (Netbus Pro Traffic) has been demonstrated to trigger this vulnerability. There is a workaround for this vulnerability.