Cisco Warns Routers, Switches Vulnerable To Denial Of Service Attacks

Some Cisco devices running IOS Version 12.2S that have Dynamic Host Configuration Protocol (DHCP) server or relay agent enabled are vulnerable to DOS attacks when sent specially crafted DHCP packets. Even if the DHCP service or DHCP relay service is not enabled, the router or switch may be vulnerable, Cisco warned.

The vulnerability is caused by a flaw in the way in which the router and switch software handles DHCP packets. According to a Cisco advisory, if irregular DHCP packets are sent designed to attack the device, the packets "will remain in the queue instead of being dropped. If a number of packets are sent that equal the size of the input queue, no more traffic will be accepted on that interface." That means that the device will no longer function, and will not perform routing or switching functions.

The following devices are affected, if they are running a branch of IOS version 12.2S:

• 7200, 7300 and 7500 routers
• 2650, 2651, 2650XM and 2651XM Multiservice platforms
• ONS15530 and ONS15540 optical platforms
• Catalyst 4000 switcehs with Sup2plus, Sup3, Sup4 and Sup5 modules
• Catalyst 4500 switches with Sup2Plus TS modules
• Catalyst 4948, 2970, 3560, and 3750 switches
• Catalyst 6000, Sup2/MSFC2 and Sup720/MSFC3 modules
• 7600 routers with Sup2/MSFC2 and Sup720/MSFC3 modules

Cisco devices that do not run IOS software are not affected by the vulnerability. Additionally, Cisco devices running Cisco IOS software with the command no service dhcp enabled are not affected.

Cisco has released a software patch to fix the problem, and published workarounds. For details, see Cisco Security Advisory: Cisco IOS DHCP Blocked Interface Denial-of-Service.