Cisco IOS XR Software IPv6 Flood Denial of Service Vulnerability

A vulnerability in the IPv6 protocol handling of the management interfaces of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause an IPv6 flood on the management interface network of an affected device.

The vulnerability exists because the software incorrectly forwards IPv6 packets that have an IPv6 node-local multicast group address destination and are received on the management interfaces. An attacker could exploit this vulnerability by connecting to the same network as the management interfaces and injecting IPv6 packets that have an IPv6 node-local multicast group address destination. A successful exploit could allow the attacker to cause an IPv6 flood on the corresponding network. Depending on the number of Cisco IOS XR Software nodes on that network segment, exploitation could cause excessive network traffic, resulting in network degradation or a denial of service (DoS) condition.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xripv6-spJem78K

Security Impact Rating: High

CVE: CVE-2021-1268

Related:

  • No Related Posts

Cisco Small Business Smart and Managed Switches Denial of Service Vulnerability

A vulnerability in the IPv6 packet processing engine of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient validation of incoming IPv6 traffic. An attacker could exploit this vulnerability by sending a crafted IPv6 packet through an affected device. A successful exploit could allow the attacker to cause an unexpected reboot of the switch, leading to a DoS condition.

This vulnerability is specific to IPv6 traffic. IPv4 traffic is not affected.

Cisco has released software updates that address this vulnerability for devices that have not reached the end of software maintenance. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbss-ipv6-dos-3bLk6vA

Security Impact Rating: High

CVE: CVE-2020-3363

Related:

  • No Related Posts

Cisco StarOS IPv6 Denial of Service Vulnerability

A vulnerability in the IPv6 implementation of Cisco StarOS could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient validation of incoming IPv6 traffic. An attacker could exploit this vulnerability by sending a crafted IPv6 packet to an affected device with the goal of reaching the vulnerable section of the input buffer. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

This vulnerability is specific to IPv6 traffic. IPv4 traffic is not affected.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asr5k-ipv6-dos-ce3zhF8m

Security Impact Rating: Medium

CVE: CVE-2020-3500

Related:

  • No Related Posts

Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability

A vulnerability in the IP Version 6 (IPv6) packet processing functions of multiple Cisco products could allow an unauthenticated, remote attacker to cause an affected device to stop processing IPv6 traffic, leading to a denial of service (DoS) condition on the device.

The vulnerability is due to insufficient processing logic for crafted IPv6 packets that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 Neighbor Discovery (ND) packets to an affected device for processing. A successful exploit could allow the attacker to cause the device to stop processing IPv6 traffic, leading to a DoS condition on the device.

This vulnerability is not Cisco specific: any IPv6 processing unit not capable of dropping such packets early in the processing path or in hardware is affected by this vulnerability.

Cisco will release software updates that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6

Security Impact Rating: High

CVE: CVE-2016-1409

Related:

  • No Related Posts

SMG 10.6.3-2 IPv6 prefix length

I need a solution

Hello,

I’ve a SMG 10.6.3.-2 and want to configure IPv6.

The problem is, that the web-interface only allows /64 prefix for IPv6 address, but I’ve to use a /112 prefix.

Is there any possibility to configure the 112 prefix?

Thanks,
Martin

0

Related:

How to get the IPv6 address of SEP clients?

I need a solution

Hi,

We’re checking around the console on where to find the IPv6 address of our clients specifically on  the Monitors and Reports menu. We can’t find it so far, do you guys know where we can find it?

Btw, the ipv6 is already enabled in our network, we can already see the IPv6 address on the workstation when we check the network adapters.

Thank you,

0

Related:

Event ID 4203 — TCP/IP Configuration

Event ID 4203 — TCP/IP Configuration

Updated: April 17, 2008

Applies To: Windows Server 2008

TCP/IP configuration encompasses network settings, default gateway, and IP address (static or dynamic).

 

 

Event Details

Product: Windows Operating System
ID: 4203
Source: tcpip
Version: 6.0
Symbolic Name: EVENT_TCPIP_IPV4_UNINSTALLED
Message: The system detected that IPv4 is not installed. This may cause some networking services to fail to start, or to malfunction. To install IPv4, use “netsh interface ipv4 install”.

Resolve

This is a normal condition. No further action is required.

Related Management Information

TCP/IP Configuration

Networking

Related:

Event ID 15005 — HTTP Service Namespace Management

Event ID 15005 — HTTP Service Namespace Management

Updated: April 17, 2008

Applies To: Windows Server 2008

To receive HTTP requests, a server application must have its URL registered with the HTTP Service. If the server application is running without administrative credentials, the server application must reserve a URL namespace before it can register. Reserving a URL namespace creates an access control list (ACL) for that namespace. Additionally, a server application (hosted by the HTTP Service) might conflict with another application (not hosted by the HTTP Service) if both use the same IP addresses and port.

Event Details

Product: Windows Operating System
ID: 15005
Source: Microsoft-Windows-HttpEvent
Version: 6.0
Symbolic Name: EVENT_HTTP_CREATE_ENDPOINT_FAILED
Message: Unable to bind to the underlying transport for %2. The IP Listen-Only list may contain a reference to an interface which does not exist on this machine. The data field contains the error number.

Resolve
Add an address to the IP Listen List

Server applications can be separated by using an IP Listen List.

To add an address to the IP Listen List:

  1. Click Start, point to All Programs, click Accessories, right-click Command Prompt, click Run as administrator, and then click Continue.
  2. Type netsh http add iplistenIPAddress.

Note:  The IP address must exist on the local computer.

add iplisten

Specifies an Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) address to be added to the IP listen list.

Syntax

add iplisten [ address=] IPAddress

Parameters

Term

Description

[ address=] IPAddress

Specifies the IPv4 or IPv6 address to be added to the IP listen list.

Remarks

Adds a new IP address to the IP listen list. This does not include the port number. The IP listen list is used to scope the list of addresses to which the HTTP service binds. “0.0.0.0” means any IPv4 address and “::” means any IPv6 address.

Examples

add iplisten address=fe80::1

add iplisten address=1.1.1.1

add iplisten address=0.0.0.0

add iplisten address=::

Verify

To verify the ACLs for your server application’s URL exist:

  1. Click Start, point to All Programs, click Accessories, right-click Command Prompt, click Run as administrator, and then click Continue.
  2. Type netsh http show urlacl, and verify that the ACLs for the application’s URL exist.

To see which applications are listening on the same port as your server application:

  1. Click Start, point to All Programs, click Accessories, right-click Command Prompt, click Run as administrator, and then click Continue.
  2. Type netstat -ba and verify that the IP Listen List exists.

Related Management Information

HTTP Service Namespace Management

Networking

Related: