VAR-201008-0200
Vulnerability from variot - Updated: 2025-04-11 23:09Cisco IOS 15.1(2)T allows remote attackers to cause a denial of service (resource consumption and TCP outage) via spoofed TCP packets, related to embryonic TCP connections that remain in the SYN_RCVD or SYN_SENT state, aka Bug ID CSCti18193. Cisco IOS of TCP For connection, SYN_RCVD Or SYN_SENT Service operation disruption due to deficiencies (DoS) There is a vulnerability that becomes a condition. Cisco IOS is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause the affected device to remain in the SYNRCVD or SYNSENT state. Successful exploiting this issue will allow attackers to consume system resources and prevent the affected device from initiating new TCP connection, denying service to legitimate users. This issue is tracked by Cisco Bug ID CSCti18193. ----------------------------------------------------------------------
Get tweets from Secunia
http://twitter.com/secunia
TITLE: Cisco IOS TCP Connection Handling Denial of Service
SECUNIA ADVISORY ID: SA40958
VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40958/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40958
RELEASE DATE: 2010-08-14
DISCUSS ADVISORY: http://secunia.com/advisories/40958/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)
http://secunia.com/advisories/40958/
ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=40958
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION: A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability exists due to an error in the handling of TCP packets during the establishment phase.
Successful exploitation does not require a full TCP three-way handshake and is possible e.g. via spoofed TCP packets.
PROVIDED AND/OR DISCOVERED BY: Reported to the vendor by a customer.
ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml
OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
No authentication is required to exploit this vulnerability. An attacker does not need to complete a three-way handshake to trigger this vulnerability; therefore, this this vunerability can be exploited using spoofed packets. This vulnerability may be triggered by normal network traffic.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml. To determine the Cisco IOS Software Release that is running on a Cisco product, administrators can log in to the device and issue the "show version" command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software Release name. Other Cisco devices do not have the "show version" command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.1(2)T with an installed image name of C2800NM-ENTSERVICES-M:
Router#show version
Cisco IOS Software, 2800 Software (C2800NM-ENTSERVICES-M), Version 15.1(2)T,
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Mon 19-Jul-10 16:38 by prod_rel_team
<output truncated>
Additional information about Cisco IOS Software Release naming conventions is available in the White Paper: Cisco IOS Reference Guide.
No other Cisco products are currently known to be affected by this vulnerability.
Details
TCP provides reliable data transmission services in packet-switched network environments. TCP corresponds to the transport layer (Layer 4) of the OSI reference model. Among the services TCP provides are stream data transfer, reliability, efficient flow control, full-duplex operation, and multiplexing. All allocated TCBs, associated TCP port numbers, and the TCP state are displayed in the output of the "show tcp brief all" command-line interface (CLI) command. Examining the output of the "show tcp brief all" command multiple times will indicate if TCP sessions remain in one of these states.
This vulnerability is triggered only by TCP traffic that is terminated by or originated from the device. Transit traffic will not trigger this vulnerability.
Both connections to and from the router could trigger this vulnerability. An example of a connection to the router is that you may still be able to ping the device, but fail to establish a TELNET or SSH connection to the device. For example, an administrator may still be able to ping the device but fail to establish a Telnet or SSH connection to the device. Administrators who attempt a Telnet or a SSH connection to a remote device from the CLI prompt will encounter a hung session and the "Trying ..." prompt. The connection that is initiated or terminated by the router can be removed from the socket table by clearing the associated TCB with the "clear tcp tcb 0x " command.
Devices could be vulnerable if examining the output of the CLI command "debug ip tcp transactions", displays the error messages "connection queue limit reached: port " or "No wild listener: port ".
Devices could also be vulnerable if output from repetitive show tcp brief all CLI commands indicates many TCBs in the state SYNRCVD or SYNSENT.
The following example shows a device that has several HTTP, SSH, and Telnet sessions in the TCP SYNRCVD state:
Example#show tcp brief all
TCB Local Address Foreign Address (state)
07C2D6C8 192.168.0.2.443 192.168.0.5.11660 SYNRCVD
07C38128 192.168.0.2.23 192.168.0.5.35018 SYNRCVD
07C2DD60 192.168.0.2.443 192.168.0.5.19316 SYNRCVD
07C2A8A0 192.168.0.2.80 192.168.0.5.13818 SYNRCVD
<output truncated>
Any TCP sessions can be cleared by clearing the associated TCB with "clear tcp tcb 0x ". Alternatively Administrators can clear all TCBs at once by issuing "clear tcp tcb *".
Note: This will clear all active and hung TCP connections. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2827.
Some TCP application specific information is provided in the following sections:
Telnet and SSH +-------------
Telnet can not be explicitly disabled on a Cisco IOS device. Configuring "transport input none" on the vty lines of a vulnerable device will prevent it from being exploited on TCP port 23. However, if the Cisco IOS SSH server feature is configured on the device, "transport input none" will not prevent the device from being exploited on TCP port 22.
Configuration of vty access control lists can partially mitigate this vulnerability because the vulnerability can be exploited using spoofed IP source addresses.
Border Gateway Protocol +----------------------
Routers that are configured with Border Gateway Protocol (BGP) can be protected further by using the Generalized Time to Live (TTL) Security Mechanism (GTSM) feature. GTSM allows users to configure the expected TTL of a packet between a source and destination address. Packets that fail the GTSM check will be dropped before TCP processing occurs, which prevents an attacker from exploiting this vulnerability through BGP. GTSM is implemented with the command "ttl-security hops".
Further information on protecting BGP can be found in "Protecting Border Gateway Protocol for the Enterprise" (http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html#7).
TCP MD5 Authentication for BGP does not prevent this vulnerability from being exploited.
Vulnerability Scoring Details
Cisco has provided a score for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
- CSCti18193 ("TCP connections never timeout in IOS 15.1(2)T")
CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete
CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed
Impact
Successful exploitation of this vulnerability may prevent some TCP applications on Cisco IOS Software from accepting any new connections. Exploitation could also prevent remote access to the affected system via the vtys. Remote access to the affected device via out-of-band connectivity to the console port should still be available.
Software Versions and Fixes
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. If a release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table.
+---------------------------------------+ | Major | Availability of Repaired | | Release | Releases | |------------+--------------------------| | Affected | | | 12.x-Based | First Fixed Release | | Releases | | |------------+--------------------------| | 12.0 - | 12.0 through 12.4 based | | 12.4 | releases are not | | | affected | |------------+--------------------------| | Affected | | | 15.0-Based | First Fixed Release | | Releases | | |------------+--------------------------| | 15.0 | There are no affected | | | 15.0 based releases | |------------+--------------------------| | Affected | | | 15.1-Based | First Fixed Release | | Releases | | |------------+--------------------------| | | 15.1(2)T0a | | | | | | 15.1(2)T1; available on | | | 20-AUG-2010 | | 15.1T | | | | Releases prior to 15.1 | | | (2)T are not vulnerable. | | | The vulnerability is | | | first fixed in release | | | 15.1(2)T0a. | +---------------------------------------+
Workarounds
The only complete workaround to mitigate this vulnerability is to disable the specific features that make a device vulnerable, if this action is feasible.
Allowing only legitimate devices to connect to affected devices will help limit exposure to this vulnerability. Refer to the following Control Plane Policing and Configuring Infrastructure Access Lists subsections for further details. Because a TCP three-way handshake is not required, the mitigation must be combined with anti-spoofing measures on the network edge to increase effectiveness.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20100812-tcp.shtml
Cisco Guide to Harden Cisco IOS Devices +--------------------------------------
The Cisco Guide to Harden Cisco IOS Devices provides examples of many useful techniques to mitigate TCP state manipulation vulnerabilities. These include:
- Infrastructure Access Control Lists (iACL)
- Receive Access Control Lists (rACL)
- Transit Access Control Lists (tACL)
- vty Access Control Lists
- Control Plane Policing (CoPP)
- Control Plane Protection (CPPr)
For more information on these topics, consult "Cisco Guide to Harden Cisco IOS Devices" (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml).
CoPP +---
For devices that need to offer TCP services, administrators can use CoPP to block TCP traffic from untrusted sources that is destined to the affected device. CoPP may be configured on a device to protect the management and control planes and minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. The following example can be adapted to specific network configurations:
!
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
!-- to determine what traffic needs to be dropped by a control plane
!-- policy (the CoPP feature.) If the access list matches (permit),
!-- then traffic will be dropped. If the access list does not
!-- match (deny), then traffic will be processed by the router.
!-- Note that TCP ports 22 and 23 are examples; this
!-- configuration needs to be expanded to include all used
!-- TCP ports.
!
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 22
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 23
access-list 100 deny tcp host 172.16.1.1 any eq 22
access-list 100 deny tcp host 172.16.1.1 any eq 23
access-list 100 permit tcp any any
!
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a class map for traffic that will be policed by
!-- the CoPP feature.
!
class-map match-all drop-tcp-class
match access-group 100
!
!-- Create a policy map that will be applied to the
!-- Control Plane of the device, and add the "drop-tcp-traffic"
!-- class map.
!
policy-map control-plane-policy
class drop-tcp-class
drop
!
!-- Apply the policy map to the control plane of the
!-- device.
!
control-plane
service-policy input control-plane-policy
Warning: Because a TCP three-way handshake is not required to exploit this vulnerability, it is possible to spoof the IP address of the sender, which could defeat access control lists (ACLs) that permit communication to these ports from trusted IP addresses.
In the preceding CoPP example, the access control entries (ACEs) that match the potential exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action (not shown) are not affected by the policy-map drop function. Additional information on the configuration and use of the CoPP feature can be found at "Control Plane Policing Implementation Best Practices" (http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html) and "Control Plane Policing" (http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html).
Configuring iACLs +----------------
Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper "Protecting Your Core: Infrastructure Protection Access Control Lists" (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml) presents guidelines and recommended deployment techniques for infrastructure protection ACLs.
BGP Considerations +----------------
GTSM can help prevent exploitation of this vulnerability by means of the BGP port because packets that originate from devices that do not pass the TTL check configured by GTSM are dropped before any TCP processing occurs. For information on GTSM refer to "BGP Support for TTL Security Check" (http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_btsh.html) and "BGP Time To Live Security Check" (http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html#7).
Embedded Event Manager (EEM) +---------------------------
A Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool Command Language (Tcl) can be used on vulnerable Cisco IOS devices to identify and detect a hung, extended, or indefinite TCP connection that is caused by this vulnerability. When Cisco IOS EEM detects potential exploitation of this vulnerability, the policy can trigger a response by sending a syslog message or a Simple Network Management Protocol (SNMP) trap to clear the TCP connection. The example policy provided in this document is based on a Tcl script that monitors and parses the output from two commands at defined intervals, produces a syslog message when the monitor threshold reaches its configured value, and can reset the TCP connection.
The Tcl script is available for download at the "Cisco Beyond: Embedded Event Manager (EEM) Scripting Community" (http://www.cisco.com/go/ciscobeyond) at the following link http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=2041, and the device sample configuration is provided below.
!
!-- Location where the Tcl script will be stored
!
event manager directory user policy disk0:/eem
!
!-- Define variable and set the monitoring interval
!-- as an integer (expressed in seconds)
!
event manager environment EEM_MONITOR_INTERVAL 60
!
!-- Define variable and set the threshold value as
!-- an integer for the number of retransmissions
!-- that determine if the TCP connection is hung
!-- (a recommended value to use is 15)
!
event manager environment EEM_MONITOR_THRESHOLD 15
!
!-- Define variable and set the value to "yes" to
!-- enable the clearing of hung TCP connections
!
event manager environment EEM_MONITOR_CLEAR yes
!
!-- Define variable and set to the TCP connection
!-- state or states that script will monitor, which
!-- can be a single state or a space-separated list
!-- of states
!
event manager environment EEM_MONITOR_STATES SYNRCVD SYNSENT
!
!-- Register the script as a Cisco EEM policy
!
event manager policy monitor-sockets.tcl
Obtaining Fixed Software
Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades.
Customers with Service Contracts +-------------------------------
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.
Customers without Service Contracts +----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
- +1 800 553 2447 (toll free from within North America)
- +1 408 526 7209 (toll call from anywhere in the world)
- e-mail: tac@cisco.com
Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
Distribution
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml
In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.
- cust-security-announce@cisco.com
- first-bulletins@lists.first.org
- bugtraq@securityfocus.com
- vulnwatch@vulnwatch.org
- cisco@spot.colorado.edu
- cisco-nsp@puck.nether.net
- full-disclosure@lists.grok.org.uk
- comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Revision History
+------------------------------------------------------------+ | Revision 1.0 | 2010-August-12 | Initial public release. | +------------------------------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.
+-------------------------------------------------------------------- Copyright 2008-2010 Cisco Systems, Inc. All rights reserved. +--------------------------------------------------------------------
Updated: Aug 12, 2010 Document ID: 112099 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxkdOsACgkQ86n/Gc8U/uApYwCfeZAQ3FcneSd+MEaIn+qMV2zb bYgAn2Zg6rcHlDyLaPepO/C0hwINLk2v =5Pfg -----END PGP SIGNATURE-----
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201008-0200",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ios",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": "15.1\\(2\\)t"
},
{
"model": "ios",
"scope": "eq",
"trust": 0.8,
"vendor": "cisco",
"version": "15.1t"
},
{
"model": "ios 15.1t",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 15.1 t1",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
}
],
"sources": [
{
"db": "BID",
"id": "42426"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001950"
},
{
"db": "CNNVD",
"id": "CNNVD-201008-152"
},
{
"db": "NVD",
"id": "CVE-2010-2827"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:cisco:ios",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001950"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco",
"sources": [
{
"db": "BID",
"id": "42426"
}
],
"trust": 0.3
},
"cve": "CVE-2010-2827",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2010-2827",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-45432",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2010-2827",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2010-2827",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201008-152",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-45432",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-45432"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001950"
},
{
"db": "CNNVD",
"id": "CNNVD-201008-152"
},
{
"db": "NVD",
"id": "CVE-2010-2827"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco IOS 15.1(2)T allows remote attackers to cause a denial of service (resource consumption and TCP outage) via spoofed TCP packets, related to embryonic TCP connections that remain in the SYN_RCVD or SYN_SENT state, aka Bug ID CSCti18193. Cisco IOS of TCP For connection, SYN_RCVD Or SYN_SENT Service operation disruption due to deficiencies (DoS) There is a vulnerability that becomes a condition. Cisco IOS is prone to a denial-of-service vulnerability. \nAn attacker can exploit this issue to cause the affected device to remain in the SYNRCVD or SYNSENT state. \nSuccessful exploiting this issue will allow attackers to consume system resources and prevent the affected device from initiating new TCP connection, denying service to legitimate users. \nThis issue is tracked by Cisco Bug ID CSCti18193. ----------------------------------------------------------------------\n\n\nGet tweets from Secunia\n\n\nhttp://twitter.com/secunia\n\n\n----------------------------------------------------------------------\n\nTITLE:\nCisco IOS TCP Connection Handling Denial of Service\n\nSECUNIA ADVISORY ID:\nSA40958\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/40958/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=40958\n\nRELEASE DATE:\n2010-08-14\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/40958/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/40958/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=40958\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nA vulnerability has been reported in Cisco IOS, which can be\nexploited by malicious people to cause a DoS (Denial of Service). \n\nThe vulnerability exists due to an error in the handling of TCP\npackets during the establishment phase. \n\nSuccessful exploitation does not require a full TCP three-way\nhandshake and is possible e.g. via spoofed TCP packets. \n\nPROVIDED AND/OR DISCOVERED BY:\nReported to the vendor by a customer. \n\nORIGINAL ADVISORY:\nhttp://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\nNo authentication is required to exploit this vulnerability. An attacker\ndoes not need to complete a three-way handshake to trigger this\nvulnerability; therefore, this this vunerability can be exploited using\nspoofed packets. This vulnerability may be triggered by normal network\ntraffic. \n\nThis advisory is posted at\nhttp://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml. To determine the Cisco IOS Software Release that is\nrunning on a Cisco product, administrators can log in to the device\nand issue the \"show version\" command to display the system banner. \nThe system banner confirms that the device is running Cisco IOS\nSoftware by displaying text similar to \"Cisco Internetwork Operating\nSystem Software\" or \"Cisco IOS Software.\" The image name displays in\nparentheses, followed by \"Version\" and the Cisco IOS Software Release\nname. Other Cisco devices do not have the \"show version\" command or may\nprovide different output. \n\nThe following example identifies a Cisco product that is running\nCisco IOS Software Release 15.1(2)T with an installed image name of\nC2800NM-ENTSERVICES-M:\n\n Router#show version\n Cisco IOS Software, 2800 Software (C2800NM-ENTSERVICES-M), Version 15.1(2)T,\n RELEASE SOFTWARE (fc1)\n Technical Support: http://www.cisco.com/techsupport\n Copyright (c) 1986-2010 by Cisco Systems, Inc. \n Compiled Mon 19-Jul-10 16:38 by prod_rel_team\n\n \u003coutput truncated\u003e\n\nAdditional information about Cisco IOS Software Release naming\nconventions is available in the White Paper: Cisco IOS Reference Guide. \n\nNo other Cisco products are currently known to be affected by this\nvulnerability. \n\nDetails\n=======\n\nTCP provides reliable data transmission services in packet-switched\nnetwork environments. TCP corresponds to the transport layer (Layer\n4) of the OSI reference model. Among the services TCP provides are\nstream data transfer, reliability, efficient flow control, full-duplex\noperation, and multiplexing. All allocated TCBs,\nassociated TCP port numbers, and the TCP state are displayed in the\noutput of the \"show tcp brief all\" command-line interface (CLI) command. Examining the output of\nthe \"show tcp brief all\" command multiple times will indicate if TCP\nsessions remain in one of these states. \n\nThis vulnerability is triggered only by TCP traffic that is terminated\nby or originated from the device. Transit traffic will not trigger this\nvulnerability. \n\nBoth connections to and from the router could trigger this\nvulnerability. An example of a connection to the router is that you may\nstill be able to ping the device, but fail to establish a TELNET or SSH\nconnection to the device. For example, an administrator may still be\nable to ping the device but fail to establish a Telnet or SSH connection\nto the device. Administrators who attempt a Telnet or a SSH connection\nto a remote device from the CLI prompt will encounter a hung session\nand the \"Trying \u003cip address|hostname\u003e ...\" prompt. The connection\nthat is initiated or terminated by the router can be removed from the\nsocket table by clearing the associated TCB with the \"clear tcp tcb\n0x\u003caddress\u003e\" command. \n\nDevices could be vulnerable if examining the output of the CLI command\n\"debug ip tcp transactions\", displays the error messages \"connection\nqueue limit reached: port \u003cport number\u003e\" or \"No wild listener: port\n\u003cport number\u003e\". \n\nDevices could also be vulnerable if output from repetitive show tcp\nbrief all CLI commands indicates many TCBs in the state SYNRCVD or\nSYNSENT. \n\nThe following example shows a device that has several HTTP, SSH, and\nTelnet sessions in the TCP SYNRCVD state:\n\n Example#show tcp brief all\n TCB Local Address Foreign Address (state)\n 07C2D6C8 192.168.0.2.443 192.168.0.5.11660 SYNRCVD\n 07C38128 192.168.0.2.23 192.168.0.5.35018 SYNRCVD\n 07C2DD60 192.168.0.2.443 192.168.0.5.19316 SYNRCVD\n 07C2A8A0 192.168.0.2.80 192.168.0.5.13818 SYNRCVD\n\n \u003coutput truncated\u003e\n\nAny TCP sessions can be cleared by clearing the associated TCB with\n\"clear tcp tcb 0x\u003caddress\u003e\". Alternatively Administrators can clear all\nTCBs at once by issuing \"clear tcp tcb *\". \n\nNote: This will clear all active and hung TCP connections. This\nvulnerability has been assigned Common Vulnerabilities and Exposures\n(CVE) ID CVE-2010-2827. \n\nSome TCP application specific information is provided in the following\nsections:\n\nTelnet and SSH\n+-------------\n\nTelnet can not be explicitly disabled on a Cisco IOS device. Configuring\n\"transport input none\" on the vty lines of a vulnerable device will\nprevent it from being exploited on TCP port 23. However, if the Cisco\nIOS SSH server feature is configured on the device, \"transport input\nnone\" will not prevent the device from being exploited on TCP port 22. \n\nConfiguration of vty access control lists can partially mitigate this\nvulnerability because the vulnerability can be exploited using spoofed\nIP source addresses. \n\nBorder Gateway Protocol\n+----------------------\n\nRouters that are configured with Border Gateway Protocol (BGP) can be\nprotected further by using the Generalized Time to Live (TTL) Security\nMechanism (GTSM) feature. GTSM allows users to configure the expected\nTTL of a packet between a source and destination address. Packets that\nfail the GTSM check will be dropped before TCP processing occurs, which\nprevents an attacker from exploiting this vulnerability through BGP. \nGTSM is implemented with the command \"ttl-security hops\". \n\nFurther information on protecting BGP can be found in\n\"Protecting Border Gateway Protocol for the Enterprise\"\n(http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html#7). \n\nTCP MD5 Authentication for BGP does not prevent this vulnerability from\nbeing exploited. \n\nVulnerability Scoring Details\n=============================\n\nCisco has provided a score for the vulnerability in this advisory based\non the Common Vulnerability Scoring System (CVSS). The CVSS scoring in\nthis Security Advisory is done in accordance with CVSS version 2.0. \n\nCVSS is a standards-based scoring method that conveys vulnerability\nseverity and helps determine urgency and priority of response. \n\nCisco has provided a base and temporal score. Customers can then\ncompute environmental scores to assist in determining the impact of the\nvulnerability in individual networks. \n\nCisco has provided an FAQ to answer additional questions regarding CVSS\nat:\n\nhttp://www.cisco.com/web/about/security/intelligence/cvss-qandas.html\n\nCisco has also provided a CVSS calculator to help compute the\nenvironmental impact for individual networks at:\n\nhttp://intellishield.cisco.com/security/alertmanager/cvss\n\n\n* CSCti18193 (\"TCP connections never timeout in IOS 15.1(2)T\")\n\nCVSS Base Score - 7.8\n Access Vector - Network\n Access Complexity - Low\n Authentication - None\n Confidentiality Impact - None\n Integrity Impact - None\n Availability Impact - Complete\n\nCVSS Temporal Score - 6.4\n Exploitability - Functional\n Remediation Level - Official-Fix\n Report Confidence - Confirmed\n\n\nImpact\n======\n\nSuccessful exploitation of this vulnerability may prevent some TCP\napplications on Cisco IOS Software from accepting any new connections. \nExploitation could also prevent remote access to the affected system\nvia the vtys. Remote access to the affected device via out-of-band\nconnectivity to the console port should still be available. \n\nSoftware Versions and Fixes\n===========================\n\nWhen considering software upgrades, also consult\nhttp://www.cisco.com/go/psirt and any subsequent advisories to determine\nexposure and a complete upgrade solution. \n\nIn all cases, customers should exercise caution to be certain the\ndevices to be upgraded contain sufficient memory and that current\nhardware and software configurations will continue to be supported\nproperly by the new release. If the information is not clear, contact\nthe Cisco Technical Assistance Center (TAC) or your contracted\nmaintenance provider for assistance. If a release train is vulnerable, then the earliest\npossible releases that contain the fix (along with the anticipated date\nof availability for each, if applicable) are listed in the \"First Fixed\nRelease\" column of the table. The \"Recommended Release\" column indicates\nthe releases which have fixes for all the published vulnerabilities\nat the time of this Advisory. A device running a release in the given\ntrain that is earlier than the release in a specific column (less than\nthe First Fixed Release) is known to be vulnerable. Cisco recommends\nupgrading to a release equal to or later than the release in the\n\"Recommended Releases\" column of the table. \n\n+---------------------------------------+\n| Major | Availability of Repaired |\n| Release | Releases |\n|------------+--------------------------|\n| Affected | |\n| 12.x-Based | First Fixed Release |\n| Releases | |\n|------------+--------------------------|\n| 12.0 - | 12.0 through 12.4 based |\n| 12.4 | releases are not |\n| | affected |\n|------------+--------------------------|\n| Affected | |\n| 15.0-Based | First Fixed Release |\n| Releases | |\n|------------+--------------------------|\n| 15.0 | There are no affected |\n| | 15.0 based releases |\n|------------+--------------------------|\n| Affected | |\n| 15.1-Based | First Fixed Release |\n| Releases | |\n|------------+--------------------------|\n| | 15.1(2)T0a |\n| | |\n| | 15.1(2)T1; available on |\n| | 20-AUG-2010 |\n| 15.1T | |\n| | Releases prior to 15.1 |\n| | (2)T are not vulnerable. |\n| | The vulnerability is |\n| | first fixed in release |\n| | 15.1(2)T0a. |\n+---------------------------------------+\n\nWorkarounds\n===========\n\nThe only complete workaround to mitigate this vulnerability is to\ndisable the specific features that make a device vulnerable, if this\naction is feasible. \n\nAllowing only legitimate devices to connect to affected devices will\nhelp limit exposure to this vulnerability. Refer to the following\nControl Plane Policing and Configuring Infrastructure Access Lists\nsubsections for further details. Because a TCP three-way handshake\nis not required, the mitigation must be combined with anti-spoofing\nmeasures on the network edge to increase effectiveness. \n\nAdditional mitigations that can be deployed on Cisco devices within the\nnetwork are available in the Cisco Applied Mitigation Bulletin companion\ndocument for this advisory, which is available at the following link:\n\nhttp://www.cisco.com/warp/public/707/cisco-amb-20100812-tcp.shtml\n\nCisco Guide to Harden Cisco IOS Devices\n+--------------------------------------\n\nThe Cisco Guide to Harden Cisco IOS Devices provides examples of many\nuseful techniques to mitigate TCP state manipulation vulnerabilities. \nThese include:\n\n * Infrastructure Access Control Lists (iACL)\n * Receive Access Control Lists (rACL)\n * Transit Access Control Lists (tACL)\n * vty Access Control Lists\n * Control Plane Policing (CoPP)\n * Control Plane Protection (CPPr)\n\nFor more information on these topics, consult\n\"Cisco Guide to Harden Cisco IOS Devices\"\n(http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml). \n\nCoPP\n+---\n\nFor devices that need to offer TCP services, administrators can use\nCoPP to block TCP traffic from untrusted sources that is destined\nto the affected device. CoPP may be\nconfigured on a device to protect the management and control planes\nand minimize the risk and effectiveness of direct infrastructure\nattacks by explicitly permitting only authorized traffic sent to\ninfrastructure devices in accordance with existing security policies and\nconfigurations. The following example can be adapted to specific network\nconfigurations:\n\n !\n !-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted. \n !-- Everything else is not trusted. The following access list is used\n !-- to determine what traffic needs to be dropped by a control plane\n !-- policy (the CoPP feature.) If the access list matches (permit),\n !-- then traffic will be dropped. If the access list does not\n !-- match (deny), then traffic will be processed by the router. \n !-- Note that TCP ports 22 and 23 are examples; this \n !-- configuration needs to be expanded to include all used\n !-- TCP ports. \n !\n access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 22\n access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 23\n access-list 100 deny tcp host 172.16.1.1 any eq 22\n access-list 100 deny tcp host 172.16.1.1 any eq 23\n access-list 100 permit tcp any any\n\n !\n !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4\n !-- traffic in accordance with existing security policies and\n !-- configurations for traffic that is authorized to be sent\n !-- to infrastructure devices. \n !-- Create a class map for traffic that will be policed by\n !-- the CoPP feature. \n !\n class-map match-all drop-tcp-class\n match access-group 100\n\n !\n !-- Create a policy map that will be applied to the\n !-- Control Plane of the device, and add the \"drop-tcp-traffic\"\n !-- class map. \n !\n policy-map control-plane-policy\n class drop-tcp-class\n drop\n\n !\n !-- Apply the policy map to the control plane of the\n !-- device. \n !\n control-plane\n service-policy input control-plane-policy\n\nWarning: Because a TCP three-way handshake is not required to exploit\nthis vulnerability, it is possible to spoof the IP address of the\nsender, which could defeat access control lists (ACLs) that permit\ncommunication to these ports from trusted IP addresses. \n\nIn the preceding CoPP example, the access control entries (ACEs)\nthat match the potential exploit packets with the \"permit\" action\nresult in these packets being discarded by the policy-map \"drop\"\nfunction, while packets that match the \"deny\" action (not shown)\nare not affected by the policy-map drop function. Additional\ninformation on the configuration and use of the CoPP feature can\nbe found at \"Control Plane Policing Implementation Best Practices\"\n(http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html)\nand \"Control Plane Policing\"\n(http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html). \n\nConfiguring iACLs\n+----------------\n\nAlthough it is often difficult to block traffic that transits a\nnetwork, it is possible to identify traffic that should never be\nallowed to target infrastructure devices and block that traffic\nat the border of your network. Infrastructure ACLs are considered\na network security best practice and should be considered as a\nlong-term addition to good network security as well as a workaround\nfor this specific vulnerability. The white paper \"Protecting\nYour Core: Infrastructure Protection Access Control Lists\"\n(http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml)\npresents guidelines and recommended deployment\ntechniques for infrastructure protection ACLs. \n\nBGP Considerations\n+----------------\n\nGTSM can help prevent exploitation of this vulnerability by\nmeans of the BGP port because packets that originate from\ndevices that do not pass the TTL check configured by GTSM are\ndropped before any TCP processing occurs. For information\non GTSM refer to \"BGP Support for TTL Security Check\"\n(http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_btsh.html)\nand \"BGP Time To Live Security Check\"\n(http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html#7). \n\nEmbedded Event Manager (EEM)\n+---------------------------\n\nA Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool\nCommand Language (Tcl) can be used on vulnerable Cisco IOS devices to\nidentify and detect a hung, extended, or indefinite TCP connection\nthat is caused by this vulnerability. When Cisco IOS EEM\ndetects potential exploitation of this vulnerability, the policy can\ntrigger a response by sending a syslog message or a Simple Network\nManagement Protocol (SNMP) trap to clear the TCP connection. The example\npolicy provided in this document is based on a Tcl script that monitors\nand parses the output from two commands at defined intervals, produces a\nsyslog message when the monitor threshold reaches its configured value,\nand can reset the TCP connection. \n\nThe Tcl script is available for download at the \"Cisco\nBeyond: Embedded Event Manager (EEM) Scripting Community\"\n(http://www.cisco.com/go/ciscobeyond) at the following link\nhttp://forums.cisco.com/eforum/servlet/EEM?page=eem\u0026fn=script\u0026scriptId=2041,\nand the device sample configuration is provided below. \n\n !\n !-- Location where the Tcl script will be stored\n !\n event manager directory user policy disk0:/eem\n\n !\n !-- Define variable and set the monitoring interval\n !-- as an integer (expressed in seconds)\n !\n event manager environment EEM_MONITOR_INTERVAL 60\n\n !\n !-- Define variable and set the threshold value as\n !-- an integer for the number of retransmissions\n !-- that determine if the TCP connection is hung\n !-- (a recommended value to use is 15)\n !\n event manager environment EEM_MONITOR_THRESHOLD 15\n\n !\n !-- Define variable and set the value to \"yes\" to\n !-- enable the clearing of hung TCP connections\n !\n event manager environment EEM_MONITOR_CLEAR yes\n\n !\n !-- Define variable and set to the TCP connection\n !-- state or states that script will monitor, which\n !-- can be a single state or a space-separated list\n !-- of states\n !\n event manager environment EEM_MONITOR_STATES SYNRCVD SYNSENT\n\n !\n !-- Register the script as a Cisco EEM policy\n !\n event manager policy monitor-sockets.tcl\n\n\nObtaining Fixed Software\n========================\n\nCisco has released free software updates that address this\nvulnerability. Prior to deploying software, customers should consult\ntheir maintenance provider or check the software for feature set\ncompatibility and known issues specific to their environment. \n\nCustomers may only install and expect support for the feature\nsets they have purchased. By installing, downloading, accessing\nor otherwise using such software upgrades, customers agree to be\nbound by the terms of Cisco\u0027s software license terms found at\nhttp://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,\nor as otherwise set forth at Cisco.com Downloads at\nhttp://www.cisco.com/public/sw-center/sw-usingswc.shtml. \n\nDo not contact psirt@cisco.com or security-alert@cisco.com for software\nupgrades. \n\nCustomers with Service Contracts\n+-------------------------------\n\nCustomers with contracts should obtain upgraded software through their\nregular update channels. For most customers, this means that upgrades\nshould be obtained through the Software Center on Cisco\u0027s worldwide\nwebsite at http://www.cisco.com. \n\nCustomers without Service Contracts\n+----------------------------------\n\nCustomers who purchase direct from Cisco but do not hold a Cisco service\ncontract, and customers who purchase through third-party vendors but are\nunsuccessful in obtaining fixed software through their point of sale\nshould acquire upgrades by contacting the Cisco Technical Assistance\nCenter (TAC). TAC contacts are as follows. \n\n * +1 800 553 2447 (toll free from within North America)\n * +1 408 526 7209 (toll call from anywhere in the world)\n * e-mail: tac@cisco.com\n\nCustomers should have their product serial number available and be\nprepared to give the URL of this notice as evidence of entitlement to a\nfree upgrade. Free upgrades for non-contract customers must be requested\nthrough the TAC. \n\nRefer to\nhttp://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html\nfor additional TAC contact information, including localized telephone\nnumbers, and instructions and e-mail addresses for use in various\nlanguages. \n\nExploitation and Public Announcements\n=====================================\n\nThe Cisco PSIRT is not aware of any public announcements or malicious\nuse of the vulnerability described in this advisory. \n\nStatus of this Notice: FINAL\n============================\n\nTHIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY\nANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF\nMERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE\nINFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS\nAT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS\nDOCUMENT AT ANY TIME. \n\nA stand-alone copy or Paraphrase of the text of this document that omits\nthe distribution URL in the following section is an uncontrolled copy,\nand may lack important information or contain factual errors. \n\nDistribution\n============\n\nThis advisory is posted on Cisco\u0027s worldwide website at:\n\nhttp://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml\n\nIn addition to worldwide web posting, a text version of this notice is\nclear-signed with the Cisco PSIRT PGP key and is posted to the following\ne-mail and Usenet news recipients. \n\n * cust-security-announce@cisco.com\n * first-bulletins@lists.first.org\n * bugtraq@securityfocus.com\n * vulnwatch@vulnwatch.org\n * cisco@spot.colorado.edu\n * cisco-nsp@puck.nether.net\n * full-disclosure@lists.grok.org.uk\n * comp.dcom.sys.cisco@newsgate.cisco.com\n\nFuture updates of this advisory, if any, will be placed on Cisco\u0027s\nworldwide website, but may or may not be actively announced on mailing\nlists or newsgroups. Users concerned about this problem are encouraged\nto check the above URL for any updates. \n\nRevision History\n================\n\n+------------------------------------------------------------+\n| Revision 1.0 | 2010-August-12 | Initial public release. |\n+------------------------------------------------------------+\n\nCisco Security Procedures\n=========================\n\nComplete information on reporting security vulnerabilities\nin Cisco products, obtaining assistance with security\nincidents, and registering to receive security information\nfrom Cisco, is available on Cisco\u0027s worldwide website at\nhttp://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. \nThis includes instructions for press inquiries regarding\nCisco security notices. All Cisco security advisories are available at\nhttp://www.cisco.com/go/psirt. \n\n+--------------------------------------------------------------------\nCopyright 2008-2010 Cisco Systems, Inc. All rights reserved. \n+--------------------------------------------------------------------\n\nUpdated: Aug 12, 2010 Document ID: 112099\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.10 (GNU/Linux)\n\niEYEARECAAYFAkxkdOsACgkQ86n/Gc8U/uApYwCfeZAQ3FcneSd+MEaIn+qMV2zb\nbYgAn2Zg6rcHlDyLaPepO/C0hwINLk2v\n=5Pfg\n-----END PGP SIGNATURE-----\n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2010-2827"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001950"
},
{
"db": "BID",
"id": "42426"
},
{
"db": "VULHUB",
"id": "VHN-45432"
},
{
"db": "PACKETSTORM",
"id": "92777"
},
{
"db": "PACKETSTORM",
"id": "92728"
}
],
"trust": 2.16
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-45432",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-45432"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2010-2827",
"trust": 2.9
},
{
"db": "BID",
"id": "42426",
"trust": 2.2
},
{
"db": "SECUNIA",
"id": "40958",
"trust": 0.9
},
{
"db": "VUPEN",
"id": "ADV-2010-2084",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001950",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201008-152",
"trust": 0.7
},
{
"db": "CISCO",
"id": "20100812 CISCO IOS SOFTWARE TCP DENIAL OF SERVICE VULNERABILITY",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "92728",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-45432",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "92777",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-45432"
},
{
"db": "BID",
"id": "42426"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001950"
},
{
"db": "PACKETSTORM",
"id": "92777"
},
{
"db": "PACKETSTORM",
"id": "92728"
},
{
"db": "CNNVD",
"id": "CNNVD-201008-152"
},
{
"db": "NVD",
"id": "CVE-2010-2827"
}
]
},
"id": "VAR-201008-0200",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-45432"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-11T23:09:01.077000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "cisco-amb-20100812-tcp",
"trust": 0.8,
"url": "http://www.cisco.com/warp/public/707/cisco-amb-20100812-tcp.shtml"
},
{
"title": "21125",
"trust": 0.8,
"url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=21125"
},
{
"title": "cisco-sa-20100812-tcp",
"trust": 0.8,
"url": "http://www.cisco.com/JP/support/public/ht/security/109/1090825/cisco-sa-20100812-tcp-j.shtml"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001950"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-45432"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001950"
},
{
"db": "NVD",
"id": "CVE-2010-2827"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "http://www.cisco.com/en/us/products/products_security_advisory09186a0080b4095e.shtml"
},
{
"trust": 1.9,
"url": "http://www.securityfocus.com/bid/42426"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2827"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-2827"
},
{
"trust": 0.8,
"url": "http://secunia.com/advisories/40958"
},
{
"trust": 0.8,
"url": "http://www.vupen.com/english/advisories/2010/2084"
},
{
"trust": 0.3,
"url": "http://www.cisco.com/en/us/products/sw/iosswrel/products_ios_cisco_ios_software_category_home.html"
},
{
"trust": 0.2,
"url": "http://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml"
},
{
"trust": 0.1,
"url": "http://twitter.com/secunia"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/40958/"
},
{
"trust": 0.1,
"url": "http://secunia.com/products/corporate/evm/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
},
{
"trust": 0.1,
"url": "http://secunia.com/vulnerability_scanning/personal/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/40958/#comments"
},
{
"trust": 0.1,
"url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=40958"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/go/psirt"
},
{
"trust": 0.1,
"url": "http://secunia.com/"
},
{
"trust": 0.1,
"url": "http://forums.cisco.com/eforum/servlet/eem?page=eem\u0026fn=script\u0026scriptid=2041,"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/warp/public/707/cisco-amb-20100812-tcp.shtml"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/products/products_security_vulnerability_policy.html."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/support/tsd_cisco_worldwide_contacts.html"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/go/psirt."
},
{
"trust": 0.1,
"url": "http://lists.grok.org.uk/full-disclosure-charter.html"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html#7)."
},
{
"trust": 0.1,
"url": "http://www.cisco.com."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/docs/ios/12_3t/12_3t7/feature/guide/gt_btsh.html)"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html)."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/public/sw-center/sw-usingswc.shtml."
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml)"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml)."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-2827"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/techsupport"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html)"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/go/ciscobeyond)"
},
{
"trust": 0.1,
"url": "http://www.cisco.com/en/us/docs/general/warranty/english/eu1ken_.html,"
},
{
"trust": 0.1,
"url": "http://intellishield.cisco.com/security/alertmanager/cvss"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-45432"
},
{
"db": "BID",
"id": "42426"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001950"
},
{
"db": "PACKETSTORM",
"id": "92777"
},
{
"db": "PACKETSTORM",
"id": "92728"
},
{
"db": "CNNVD",
"id": "CNNVD-201008-152"
},
{
"db": "NVD",
"id": "CVE-2010-2827"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-45432"
},
{
"db": "BID",
"id": "42426"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001950"
},
{
"db": "PACKETSTORM",
"id": "92777"
},
{
"db": "PACKETSTORM",
"id": "92728"
},
{
"db": "CNNVD",
"id": "CNNVD-201008-152"
},
{
"db": "NVD",
"id": "CVE-2010-2827"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-08-16T00:00:00",
"db": "VULHUB",
"id": "VHN-45432"
},
{
"date": "2010-08-12T00:00:00",
"db": "BID",
"id": "42426"
},
{
"date": "2010-09-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-001950"
},
{
"date": "2010-08-16T15:29:06",
"db": "PACKETSTORM",
"id": "92777"
},
{
"date": "2010-08-13T01:57:40",
"db": "PACKETSTORM",
"id": "92728"
},
{
"date": "2010-08-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201008-152"
},
{
"date": "2010-08-16T18:39:40.950000",
"db": "NVD",
"id": "CVE-2010-2827"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-08-20T00:00:00",
"db": "VULHUB",
"id": "VHN-45432"
},
{
"date": "2010-08-12T00:00:00",
"db": "BID",
"id": "42426"
},
{
"date": "2010-09-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-001950"
},
{
"date": "2010-08-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201008-152"
},
{
"date": "2025-04-11T00:51:21.963000",
"db": "NVD",
"id": "CVE-2010-2827"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "92728"
},
{
"db": "CNNVD",
"id": "CNNVD-201008-152"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco IOS of TCP Service disruption in connection (DoS) Vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001950"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201008-152"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.