-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0035 Title: Multiple Vulnerabilities in Cisco IOS XE Software for 1000 Series Aggregation Services Routers [1] Version history: 19.04.2013 Initial publication Summary ======= Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR) contains the following denial of service (DoS) vulnerabilities: Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the Embedded Services Processors (ESP) card or the Route Processor (RP) card, causing an interruption of services. Repeated exploitation could result in a sustained DoS condition. CSCtz97563-- Cisco IOS XE Software IPv6 Multicast Traffic Denial of Service Vulnerability: CVSS Base Score - 7.8 CVSS Temporal Score - 6.4 CSCub34945-- Cisco IOS XE Software MVPNv6 Traffic Denial of Service Vulnerability: CVSS Base Score - 7.8 CVSS Temporal Score - 6.4 CSCtz23293-- Cisco IOS XE Software L2TP Traffic Denial of Service Vulnerability: CVSS Base Score - 7.8 CVSS Temporal Score - 6.4 CSCtt11558-- Cisco IOS XE Software Bridge Domain Interface Denial of Service Vulnerability CVSS Base Score - 7.1 CVSS Temporal Score - 5.9 CSCuc65609-- Cisco IOS XE Software SIP Traffic Denial of Service Vulnerability: CVSS Base Score - 7.8 CVSS Temporal Score - 6.4 Affected Products and Versions: =============================== Cisco IOS XE Software for 1000 Series ASR contains multiple DoS vulnerabilities. Affected versions of Cisco IOS XE Software for 1000 Series ASR will vary depending on the specific vulnerability. Consult the Software Versions and Fixes section of this security advisory for more information about the affected versions [1]. What can you do? ================ Deploy the updated versions of the software [1]. No workarounds are available to mitigate these vulnerabilities. What to tell your users? ======================== N/A More information ================ [1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asr1000 [2] http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJRcUF5AAoJEPpzpNLI8SVow3sQAJ5lQJ/IpAxh0IugDr6aCdoC ZCnHWQ9SjnpnBFLlVB29rMwa7FvmiV6IVe9OQDiAXMB2P07rvPx89LsCA81X+2BO BAt9XWSrxSMH9sPr5bj2Bzhljj8xl7o3Ud4/yxdPf6DQtjGC8sv4g8K21Ic7KscI cAmBlqXNuPmUjk9DqFoTNayeK0+6F+S/dDpGSCL5sVH9Pp2jaKs+TuEAzrhUWBv8 TjYSG02RJX3hyYGbNkkV88DoCNMDi/u12+X8LCJzVzhWxqdibW1k90Jn7LeJEajg wPAHFw0mVUNPys0/AiQSAHcwEi9yaK8ANVcwF6L38nloBKTCQG/m0fXyeNGdHFne xzKUYF/XkV3i9hB88ZIOPoDkwRGMYiPF1jsdevoUpRCemkToLKrtiWx1KTVCjjW8 tmR6l+Sau35LUp06jiTWYLKy+H0wMP+Pl4PPGDyn5N3u4v4eGvhBTBAeUuWdz2ec fIOOoeuLdZ91QRb2tSG7k5Iou/0kuv/BBaiXbJhFe6XiE5OVhP5rfqMvTbuW0vYW tTlpycoqnyPs+hL9Pq8rUeVsQ7+aasHmOEaCnTkWCEAKORG97e5JhgTYaRTerHZy 4tsoJAXTSI9QtbAvcKiB2Jcpxx9fATe0DSY7PiFiZGDEeUDV9p04RsWFl0WjZuOc Q7Iv8rLsVk6O3bLoOOxt =TEUe -----END PGP SIGNATURE-----