-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3180
              Cisco IOS XE Software multiple vulnerabilities
                             23 September 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco IOS XE Software
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Administrator Compromise        -- Remote/Unauthenticated      
                   Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Modify Arbitrary Files          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Reduced Security                -- Remote/Unauthenticated      
                   Unauthorised Access             -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-34770 CVE-2021-34769 CVE-2021-34768
                   CVE-2021-34767 CVE-2021-34697 CVE-2021-1625
                   CVE-2021-1624 CVE-2021-1623 CVE-2021-1622
                   CVE-2021-1621 CVE-2021-1619 CVE-2021-1616
                   CVE-2021-1611 CVE-2021-1565 

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-h323alg-bypass-4vy2MP2Q
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-quewedge-69BsHUBW
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aaa-Yx47ZT8Q
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-zbfw-tguGuYq
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ratenat-pYVLA7wM
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-zbfw-pP9jfzwL
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-capwap-dos-gmNjdKOY
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-capwap-rce-LYgj8Kf
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-gre-6u4ELzAT
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-ipv6-dos-NMYeCnZv
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cbr8-cops-Vc2ZsJSx
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cbr8snmp-zGjkZ9Fc

Comment: This bulletin contains twelve (12) Cisco Systems security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco IOS XE Software H.323 Application Level Gateway Bypass Vulnerability

Priority:        Medium
Advisory ID:     cisco-sa-iosxe-h323alg-bypass-4vy2MP2Q
First Published: 2021 September 22 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvx16081
CVE Names:       CVE-2021-1616
CWEs:            CWE-693

Summary

  o A vulnerability in the H.323 application level gateway (ALG) used by the
    Network Address Translation (NAT) feature of Cisco IOS XE Software could
    allow an unauthenticated, remote attacker to bypass the ALG.

    This vulnerability is due to insufficient data validation of traffic that
    is traversing the ALG. An attacker could exploit this vulnerability by
    sending crafted traffic to a targeted device. A successful exploit could
    allow the attacker to bypass the ALG and open connections that should not
    be allowed to a remote device located behind the ALG.

    Note: This vulnerability has been publicly discussed as NAT Slipstreaming .

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-h323alg-bypass-4vy2MP2Q

    This advisory is part of the September 2021 release of the Cisco IOS and
    IOS XE Software Security Advisory Bundled Publication. For a complete list
    of the advisories and links to them, see Cisco Event Response: September
    2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
    Publication.

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco devices if
    they were running a vulnerable release of Cisco IOS XE Software, were
    configured for NAT, and had the H.323 ALG enabled. The H.323 ALG is enabled
    by default when NAT is configured.

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Determine Whether a Device is Configured to Perform NAT

    Administrators can determine whether NAT is active on the device
    (preferred) or whether NAT commands are present in the device
    configuration.

    Determine Whether NAT is Active

    To determine whether NAT is active on a device, log in to the device and
    issue the show ip nat statistics command in the CLI. If NAT is active, the
    Outside interfaces and Inside interfaces sections of the command output
    will include at least one interface.

    The following example shows the output of the show ip nat statistics 
    command for a device on which NAT is active:

        Router# show ip nat statistics

        Total active translations: 1 (0 static, 1 dynamic; 0 extended)
        Outside interfaces:
          GigabitEthernet0/0/3
        Inside interfaces:
          GigabitEthernet0/0/1


    If the output of the show ip nat statistics command does not list any
    interfaces, NAT is not active on the device.

    Determine Whether NAT Commands are Present

    To determine whether NAT commands are present in the device configuration,
    issue the show running-config command in the CLI. If NAT is active on the
    device, the output will include the ip nat inside and ip nat outside 
    interface commands. In the case of the NAT Virtual Interface, the ip nat
    enable interface command will be present.

    Determine Whether H.323 ALG is Disabled in the NAT Configuration

    To determine whether the H.323 ALG is disabled in the NAT configuration,
    use the show running-config | include ip nat service H225 privileged EXEC
    command. The presence of no ip nat service H225 indicates that the H.323
    ALG is disabled in the NAT configuration.

    The following example shows the output of show running-config | include ip
    nat service H225 in Cisco IOS XE Software that has the H.323 ALG disabled
    in the NAT configuration:

        Router#show running-config | include ip nat service H225
         no ip nat service H225

    If no ip nat service H225 does not appear in the output of show
    running-config | include ip nat service H225 , and the device runs an
    affected version of Cisco IOS XE Software with NAT enabled, that
    configuration is affected by this vulnerability.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       IOS Software
       IOS XR Software
       Meraki products
       NX-OS Software

Workarounds

  o There are no workarounds that address this vulnerability. However, a
    mitigation is available.

    Administrators may mitigate this vulnerability by disabling the NAT ALG for
    H.323 packets. However, this action may negatively impact normal operation
    of any device that sends or receives traffic through the affected device
    and, consequently, may disrupt normal network operations.

    Administrators should verify that their network environment does not
    require use of a NAT ALG for H.323 packets before they disable this
    functionality. To disable use of the NAT ALG for H.323 packets, use the no
    ip nat service H225 command in global configuration mode.

    While this mitigation has been deployed and was proven successful in a test
    environment, customers should determine the applicability and effectiveness
    in their own environment and under their own use conditions. Customers
    should be aware that any workaround or mitigation that is implemented may
    negatively impact the functionality or performance of their network based
    on intrinsic customer deployment scenarios and limitations. Customers
    should not deploy any workarounds or mitigations before first evaluating
    the applicability to their own environment and any impact to such
    environment.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides the Cisco Software Checker to identify
    any Cisco Security Advisories that impact a specific software release and
    the earliest release that fixes the vulnerabilities described in each
    advisory ("First Fixed"). If applicable, the tool also returns the earliest
    release that fixes all the vulnerabilities described in all the advisories
    identified ("Combined First Fixed").

    Customers can use the Cisco Software Checker to search advisories in the
    following ways:

       Choose the software and one or more releases
       Upload a .txt file that includes a list of specific releases
       Enter the output of the show version command

    After initiating a search, customers can customize the search to include
    all Cisco Security Advisories, a specific advisory, or all advisories in
    the most recent bundled publication.

    Customers can also use the following form to determine whether a release is
    affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
    Software release-for example, 15.1(4)M2 or 3.13.8S :

    By default, the Cisco Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, customers can use the
    Cisco Software Checker on Cisco.com and check the Medium check box in the
    drop-down list under Impact Rating when customizing a search.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is aware that
    proof-of-concept exploit code is available for the vulnerability described
    in this advisory.

    The Cisco PSIRT is not aware of any malicious use of the vulnerability that
    is described in this advisory.

Source

  o Cisco was made aware of this vulnerability through public discussion of the
    NAT Slipstreaming attacks.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: September 2021 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-h323alg-bypass-4vy2MP2Q

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-SEP-22  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco IOS XE Software Interface Queue Wedge Denial of Service Vulnerability

Priority:        High
Advisory ID:     cisco-sa-quewedge-69BsHUBW
First Published: 2021 September 22 16:00 GMT
Version 1.0:     Final
Workarounds:     Yes
Cisco Bug IDs:   CSCvw43399
CVE Names:       CVE-2021-1621
CWEs:            CWE-399

Summary

  o A vulnerability in the Layer 2 punt code of Cisco IOS XE Software could
    allow an unauthenticated, adjacent attacker to cause a queue wedge on an
    interface that receives specific Layer 2 frames, resulting in a denial of
    service (DoS) condition.

    This vulnerability is due to improper handling of certain Layer 2 frames.
    An attacker could exploit this vulnerability by sending specific Layer 2
    frames on the segment the router is connected to. A successful exploit
    could allow the attacker to cause a queue wedge on the interface, resulting
    in a DoS condition.

    Cisco has released software updates that address this vulnerability. There
    are workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-quewedge-69BsHUBW

    This advisory is part of the September 2021 release of the Cisco IOS and
    IOS XE Software Security Advisory Bundled Publication. For a complete list
    of the advisories and links to them, see Cisco Event Response: September
    2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
    Publication.

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco IOS XE Software if it is running on one of
    the following Cisco products:

       1000 Integrated Services Routers (ISRs)
       4000 Series ISRs
       ASR 1000 Series Aggregation Services Routers
       Cloud Services Router (CSR) 1000V Series
       Integrated Services Virtual (ISRv) Routers

    In addition, if the device is running Cisco IOS XE Software Release 17.3.1
    or a later release that is earlier than the first fixed release, the device
    is considered vulnerable.

    If the device is running a Cisco IOS XE Software release earlier than
    Release 17.3.1, it is considered vulnerable only if it does not support
    Autonomic Networking.

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Determine the Device Configuration

    To determine whether a device does not support Autonomic Networking, use
    the show running-config all | include autonomic command in the CLI. The
    following example shows the output of the command for a device that is
    running Cisco IOS XE Software and does not support Autonomic Networking:

        Router# show running-config all | include autonomic
        Router#

    The following example shows the output if a device supports Autonomic
    Networking:

        Router# show running-config all | include autonomic
        autonomic
        autonomic
        autonomic
        Router#

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that these vulnerabilities do not affect the following
    Cisco products:

       IOS Software
       IOS XR Software
       Meraki products
       NX-OS Software

Workarounds

  o If a device is running a Cisco IOS XE Software release earlier than Release
    17.3.1, changing the license level to one that supports Autonomic
    Networking, such as adventerprise , can be used as a workaround. If the
    device is running Cisco IOS XE Software Release 17.3.1 or later, there are
    no workarounds that address this vulnerability.

    If this vulnerability has been exploited and the attack has stopped,
    administrators can set a maximum hold-queue value that is greater than the
    currently configured value for the affected interface to allow traffic to
    pass until a reload can be scheduled. The following example shows how to
    set the value to 350 by using the hold-queue in interface configuration
    command:

        Router# configure terminal
        Router(config)# interface gigabitEthernet 1
        Router(config-if)# hold-queue 350 in

    Cisco IOS Embedded Event Manager

    A Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool
    Command Language (Tcl) can be used on affected devices running Cisco IOS
    Software to detect and identify interface queue wedges that are caused by
    this vulnerability. The policy allows administrators to monitor interfaces
    for devices running Cisco IOS Software and detect when input queues are
    full. When Cisco IOS EEM detects potential exploitation of this
    vulnerability, the policy sends an alert to the network administrator, who
    can then decide to implement an upgrade, implement suitable mitigations, or
    reload the device to clear the input queue.

    The Tcl script is available for download at the following link: https://
    supportforums.cisco.com/docs/DOC-19337

    While this workaround has been deployed and was proven successful in a test
    environment, customers should determine the applicability and effectiveness
    in their own environment and under their own use conditions. Customers
    should be aware that any workaround or mitigation that is implemented may
    negatively impact the functionality or performance of their network based
    on intrinsic customer deployment scenarios and limitations. Customers
    should not deploy any workarounds or mitigations before first evaluating
    the applicability to their own environment and any impact to such
    environment.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides the Cisco Software Checker to identify
    any Cisco Security Advisories that impact a specific software release and
    the earliest release that fixes the vulnerabilities described in each
    advisory ("First Fixed"). If applicable, the tool also returns the earliest
    release that fixes all the vulnerabilities described in all the advisories
    identified ("Combined First Fixed").

    Customers can use the Cisco Software Checker to search advisories in the
    following ways:

       Choose the software and one or more releases
       Upload a .txt file that includes a list of specific releases
       Enter the output of the show version command

    After initiating a search, customers can customize the search to include
    all Cisco Security Advisories, a specific advisory, or all advisories in
    the most recent bundled publication.

    Customers can also use the following form to determine whether a release is
    affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
    Software release-for example, 15.1(4)M2 or 3.13.8S :

    By default, the Cisco Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, customers can use the
    Cisco Software Checker on Cisco.com and check the Medium check box in the
    drop-down list under Impact Rating when customizing a search.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: September 2021 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-quewedge-69BsHUBW

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-SEP-22  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco IOS XE Software NETCONF and RESTCONF Authentication Bypass Vulnerability

Priority:        Critical
Advisory ID:     cisco-sa-aaa-Yx47ZT8Q
First Published: 2021 September 22 16:00 GMT
Version 1.0:     Final
Workarounds:     Yes
Cisco Bug IDs:   CSCvt53563
CVE Names:       CVE-2021-1619
CWEs:            CWE-824

Summary

  o A vulnerability in the authentication, authorization, and accounting (AAA)
    function of Cisco IOS XE Software could allow an unauthenticated, remote
    attacker to bypass NETCONF or RESTCONF authentication and do either of the
    following:

       Install, manipulate, or delete the configuration of an affected device
       Cause memory corruption that results in a denial of service (DoS) on an
        affected device

    This vulnerability is due to an uninitialized variable. An attacker could
    exploit this vulnerability by sending a series of NETCONF or RESTCONF
    requests to an affected device. A successful exploit could allow the
    attacker to use NETCONF or RESTCONF to install, manipulate, or delete the
    configuration of a network device or to corrupt memory on the device,
    resulting a DoS.

    Cisco has released software updates that address this vulnerability. There
    are workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aaa-Yx47ZT8Q

    This advisory is part of the September 2021 release of the Cisco IOS and
    IOS XE Software Security Advisory Bundled Publication. For a complete list
    of the advisories and links to them, see Cisco Event Response: September
    2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
    Publication.

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco IOS XE Software if it is running in
    autonomous or controller mode and Cisco IOS XE SD-WAN Software. For either
    to be affected, all of the following must be configured:

       AAA
       NETCONF, RESTCONF, or both
       enable password without enable secret

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Note: The standalone Cisco IOS XE SD-WAN release images are separate from
    the universal Cisco IOS XE Software releases. The SD-WAN feature set was
    first integrated into the universal Cisco IOS XE Software releases starting
    with IOS XE Software Release 17.2.1r. For additional information, see the
    Install and Upgrade Cisco IOS XE Release 17.2.1r and Later chapter of the
    Cisco SD-WAN Getting Started Guide .

    Determine the Device Configuration

    To determine whether a device has a vulnerable configuration, do the
    following:

    Check AAA Configuration

    To determine whether AAA authentication is configured on the device, use
    the show running-config | include aaa authentication login command, as
    shown in the following example:

        Router#show running-config | include aaa authentication login
        aaa authentication login default local group example
        Router#

    Check NETCONF and RESTCONF Configuration

    To determine whether NETCONF or RESTCONF is configured on the device, use
    the show running-config | include netconf|restconf command, as shown in the
    following example:

        Router#show running-config | include netconf|restconf
        netconf-yang
        restconf
        Router#

    Check enable password Configuration

    To determine whether enable password is configured on the device without
    the presence of an enable secret , use the show running-config | include
    enable password|secret command, as shown in the following example:

        Router#show running-config | include enable password|secret
        enable password 7 00010B07094B0703
        Router#

    Note: If enable secret is being used without the presence of enable
    password , the device is not affected.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       IOS Software
       IOS XR Software
       Meraki products
       NX-OS Software

Workarounds

  o There is a workaround that addresses this vulnerability: Remove the enable
    password and configure an enable secret . For more information, see Cisco
    Guide to Harden Cisco IOS Devices .

    There is also a mitigation that addresses this vulnerability: To limit the
    attack surface of this vulnerability, ensure that access control lists
    (ACLs) are in place for NETCONF and RESTCONF to prevent attempted access
    from untrusted subnets. For more information, see NETCONF and RESTCONF
    Service-Level ACLs .

    While this workaround and this mitigation have been deployed and were
    proven successful in a test environment, customers should determine the
    applicability and effectiveness in their own environment and under their
    own use conditions. Customers should be aware that any workaround or
    mitigation that is implemented may negatively impact the functionality or
    performance of their network based on intrinsic customer deployment
    scenarios and limitations. Customers should not deploy any workarounds or
    mitigations before first evaluating the applicability to their own
    environment and any impact to such environment.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides the Cisco Software Checker to identify
    any Cisco Security Advisories that impact a specific software release and
    the earliest release that fixes the vulnerabilities described in each
    advisory ("First Fixed"). If applicable, the tool also returns the earliest
    release that fixes all the vulnerabilities described in all the advisories
    identified ("Combined First Fixed").

    Customers can use the Cisco Software Checker to search advisories in the
    following ways:

       Choose the software and one or more releases
       Upload a .txt file that includes a list of specific releases
       Enter the output of the show version command

    After initiating a search, customers can customize the search to include
    all Cisco Security Advisories, a specific advisory, or all advisories in
    the most recent bundled publication.

    Customers can also use the following form to determine whether a release is
    affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
    Software release-for example, 15.1(4)M2 or 3.13.8S :

    By default, the Cisco Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, customers can use the
    Cisco Software Checker on Cisco.com and check the Medium check box in the
    drop-down list under Impact Rating when customizing a search.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: September 2021 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aaa-Yx47ZT8Q

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-SEP-22  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco IOS XE Software Protection Against Distributed Denial of Service Attacks
Feature Vulnerability

Priority:        Medium
Advisory ID:     cisco-sa-zbfw-tguGuYq
First Published: 2021 September 22 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvx15607
CVE Names:       CVE-2021-34697
CWEs:            CWE-665

Summary

  o A vulnerability in the Protection Against Distributed Denial of Service
    Attacks feature of Cisco IOS XE Software could allow an unauthenticated,
    remote attacker to conduct denial of service (DoS) attacks to or through
    the affected device.

    This vulnerability is due to incorrect programming of the half-opened
    connections limit, TCP SYN flood limit, or TCP SYN cookie features when the
    features are configured in vulnerable releases of Cisco IOS XE Software. An
    attacker could exploit this vulnerability by attempting to flood traffic to
    or through the affected device. A successful exploit could allow the
    attacker to initiate a DoS attack to or through an affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-zbfw-tguGuYq

    This advisory is part of the September 2021 release of the Cisco IOS and
    IOS XE Software Security Advisory Bundled Publication. For a complete list
    of the advisories and links to them, see Cisco Event Response: September
    2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
    Publication.

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco IOS XE
    Software releases 17.3.1 and later (but earlier than the first fixed
    release) if the software was in autonomous or controller mode and had one
    of the following enabled:

       Half-opened connections limit
       TCP SYN flood limit
       TCP SYN cookie feature

    For more information about which Cisco software releases are vulnerable,
    see the Fixed Software section of this advisory.

    Determine the Device Configuration

    The half-opened connections limit, TCP SYN flood limit, or TCP SYN cookie
    features are enabled if any of the following configuration commands are
    present in the device configuration:

       max-incomplete
       max-incomplete tcp
       max-incomplete udp
       max-incomplete icmp
       max-incomplete high
       max-incomplete low
       tcp max-incomplete host
       tcp syn-flood limit
       tcp syn-flood rate per-destination

    To confirm whether the data plane has been successfully programmed, use the
    show platform hardware qfp active feature firewall runtime command. If the
    configuration is defined with half-opened session limits, SYN flood limits,
    or SYN cookie features, the respective flag for that feature should be
    present: half-open, syn-flood, or syn-cookie . If one of these features is
    configured but the corresponding flag is not present, the device is not
    programmed correctly. The following example shows the flag appearance when
    the data plane is programmed correctly:

        Router# show platform hardware qfp active feature firewall runtime
        .
        .
        .
        global3 0x00000081:
          syn-flood                              (0x00000040)
          syn-cookie                             (0x00000020)
          half-open                              (0x00000080)
        .
        .
        .
        Router#

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       IOS Software
       IOS XR Software
       Meraki products
       NX-OS Software

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides the Cisco Software Checker to identify
    any Cisco Security Advisories that impact a specific software release and
    the earliest release that fixes the vulnerabilities described in each
    advisory ("First Fixed"). If applicable, the tool also returns the earliest
    release that fixes all the vulnerabilities described in all the advisories
    identified ("Combined First Fixed").

    Customers can use the Cisco Software Checker to search advisories in the
    following ways:

       Choose the software and one or more releases
       Upload a .txt file that includes a list of specific releases
       Enter the output of the show version command

    After initiating a search, customers can customize the search to include
    all Cisco Security Advisories, a specific advisory, or all advisories in
    the most recent bundled publication.

    Customers can also use the following form to determine whether a release is
    affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
    Software release-for example, 15.1(4)M2 or 3.13.8S :

    By default, the Cisco Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, customers can use the
    Cisco Software Checker on Cisco.com and check the Medium check box in the
    drop-down list under Impact Rating when customizing a search.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: September 2021 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-zbfw-tguGuYq

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-SEP-22  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco IOS XE Software Rate Limiting Network Address Translation Denial of
Service Vulnerability

Priority:        High
Advisory ID:     cisco-sa-ratenat-pYVLA7wM
First Published: 2021 September 22 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvx37176
CVE Names:       CVE-2021-1624
CWEs:            CWE-399

Summary

  o A vulnerability in the Rate Limiting Network Address Translation (NAT)
    feature of Cisco IOS XE Software could allow an unauthenticated, remote
    attacker to cause high CPU utilization in the Cisco QuantumFlow Processor
    of an affected device, resulting in a denial of service (DoS) condition.

    This vulnerability is due to mishandling of the rate limiting feature
    within the QuantumFlow Processor. An attacker could exploit this
    vulnerability by sending large amounts of traffic that would be subject to
    NAT and rate limiting through an affected device. A successful exploit
    could allow the attacker to cause the QuantumFlow Processor utilization to
    reach 100 percent on the affected device, resulting in a DoS condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ratenat-pYVLA7wM

    This advisory is part of the September 2021 release of the Cisco IOS and
    IOS XE Software Security Advisory Bundled Publication. For a complete list
    of the advisories and links to them, see Cisco Event Response: September
    2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
    Publication.

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco IOS XE Software if the Rate Limiting NAT
    feature is enabled.

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Determine the Device Configuration

    To determine whether the Rate Limiting NAT feature is enabled, use the show
    running-config | include ip nat translation max-entries CLI command. If the
    command returns output, as shown in the following example, the Rate
    Limiting NAT feature is enabled:

        Router# show running-config | include ip nat translation max-entries
        ip nat translation max-entries
        ip nat translation max-entries all-host
        Router#

    Determine the Available Sub-Commands

    The Rate Limiting NAT feature supports several sub-commands. The following
    max-entries sub-commands have been fixed as part of this investigation:

       ip nat translation max-entries
       ip nat translation max-entries all-host
       ip nat translation max-entries host

    The remaining max-entries configuration sub-commands are affected by the
    vulnerability that is described in this advisory and is documented in Cisco
    Bug ID CSCvx75321 . Cisco does not plan to fix these sub-commands.

    To determine whether the sub-commands that have been fixed are enabled on
    an affected device, use the show running-config | include ^ip nat
    translation max-entries (all-host|host|[0-9]) CLI command. If the command
    returns output, upgrading to a fixed software release is recommended.

    To determine whether the commands that have not been fixed are enabled, use
    the show running-config | include ^ip nat translation max-entries (all-vrf|
    list|redundancy|vrf) CLI command. If the command returns output, the device
    is considered vulnerable. Administrators should consider removing those
    commands.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       IOS Software
       IOS XR Software
       Meraki products
       NX-OS Software

Details

  o To show the QuantumFlow Processor utilization, use the command show
    platform hardware qfp active data utilization , as shown in the following
    example:

        Router#show platform hardware qfp active data utilization summary
          CPP 0:                    5 secs       1 min       5 min      60 min
        Input:     Total (pps)       44150       44158       41901        8720
                         (bps)    49446512    49455192    46928320     9765272
        Output:    Total (pps)           8           9           9           4
                         (bps)       12016       15656       15120        9224
        Processing: Load (pct)          99          99          53           8

Workarounds

  o There are no workarounds that address this vulnerability. However, as a
    mitigation, administrators can remove all ip nat translation max-entries 
    commands from the configuration.

    While this mitigation has been deployed and was proven successful in a test
    environment, customers should determine the applicability and effectiveness
    in their own environment and under their own use conditions. Customers
    should be aware that any workaround or mitigation that is implemented may
    negatively impact the functionality or performance of their network based
    on intrinsic customer deployment scenarios and limitations. Customers
    should not deploy any workarounds or mitigations before first evaluating
    the applicability to their own environment and any impact to such
    environment.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides the Cisco Software Checker to identify
    any Cisco Security Advisories that impact a specific software release and
    the earliest release that fixes the vulnerabilities described in each
    advisory ("First Fixed"). If applicable, the tool also returns the earliest
    release that fixes all the vulnerabilities described in all the advisories
    identified ("Combined First Fixed").

    Customers can use the Cisco Software Checker to search advisories in the
    following ways:

       Choose the software and one or more releases
       Upload a .txt file that includes a list of specific releases
       Enter the output of the show version command

    After initiating a search, customers can customize the search to include
    all Cisco Security Advisories, a specific advisory, or all advisories in
    the most recent bundled publication.

    Customers can also use the following form to determine whether a release is
    affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
    Software release-for example, 15.1(4)M2 or 3.13.8S :

    By default, the Cisco Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, customers can use the
    Cisco Software Checker on Cisco.com and check the Medium check box in the
    drop-down list under Impact Rating when customizing a search.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: September 2021 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ratenat-pYVLA7wM

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-SEP-22  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco IOS XE Software Zone-Based Policy Firewall ICMP and UDP Inspection
Vulnerability

Priority:        Medium
Advisory ID:     cisco-sa-zbfw-pP9jfzwL
First Published: 2021 September 22 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvv78028
CVE Names:       CVE-2021-1625
CWEs:            CWE-284

Summary

  o A vulnerability in the Zone-Based Policy Firewall feature of Cisco IOS XE
    Software could allow an unauthenticated, remote attacker to prevent the
    Zone-Based Policy Firewall from correctly classifying traffic.

    This vulnerability exists because ICMP and UDP responder-to-initiator flows
    are not inspected when the Zone-Based Policy Firewall has either Unified
    Threat Defense (UTD) or Application Quality of Experience (AppQoE)
    configured. An attacker could exploit this vulnerability by attempting to
    send UDP or ICMP flows through the network. A successful exploit could
    allow the attacker to inject traffic through the Zone-Based Policy
    Firewall, resulting in traffic being dropped because it is incorrectly
    classified or in incorrect reporting figures being produced by high-speed
    logging (HSL).

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-zbfw-pP9jfzwL

    This advisory is part of the September 2021 release of the Cisco IOS and
    IOS XE Software Security Advisory Bundled Publication. For a complete list
    of the advisories and links to them, see Cisco Event Response: September
    2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
    Publication.

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected Cisco IOS XE
    Software if it had either of the following combinations of features
    enabled:

       Zone-Based Policy Firewall with UTD (either the Snort intrusion
        prevention system [IPS] or web URL filtering)
       Zone-Based Policy Firewall with AppQoE

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       IOS Software
       IOS XR Software
       Meraki products
       NX-OS Software

Details

  o The impact of this vulnerability varies, but all impacts stem from the ICMP
    and UDP flows not being inspected on the responder-to-initiator return
    path.

       When the device has Zone-Based Policy Firewall configured with UTD or
        AppQoE and with an application layer gateway (ALG)/Alarm Interface
        Controller (AIC), the ALG/AIC state could be incorrectly tracked,
        causing the ICMP or UDP flows to break.
       When the device has Zone-Based Policy Firewall configured with UTD or
        AppQoE, a window can open in which the Zone-Based Policy Firewall idle
        times for the flow expire, causing the Zone-Based Policy Firewall
        session to be torn down while still existing in UTD. As a result, UDP
        flows from the responder could still be injected into the network.
       When the device has Zone-Based Policy Firewall configured with UTD or
        AppQoE and with HSL, the HSL responder data for the UDP and ICMP flows
        will show 0.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides the Cisco Software Checker to identify
    any Cisco Security Advisories that impact a specific software release and
    the earliest release that fixes the vulnerabilities described in each
    advisory ("First Fixed"). If applicable, the tool also returns the earliest
    release that fixes all the vulnerabilities described in all the advisories
    identified ("Combined First Fixed").

    Customers can use the Cisco Software Checker to search advisories in the
    following ways:

       Choose the software and one or more releases
       Upload a .txt file that includes a list of specific releases
       Enter the output of the show version command

    After initiating a search, customers can customize the search to include
    all Cisco Security Advisories, a specific advisory, or all advisories in
    the most recent bundled publication.

    Customers can also use the following form to determine whether a release is
    affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
    Software release-for example, 15.1(4)M2 or 3.13.8S :

    By default, the Cisco Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, customers can use the
    Cisco Software Checker on Cisco.com and check the Medium check box in the
    drop-down list under Impact Rating when customizing a search.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: September 2021 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-zbfw-pP9jfzwL

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-SEP-22  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco IOS XE Software for Catalyst 9000 Family Wireless Controllers CAPWAP
Denial of Service Vulnerabilities

Priority:        High
Advisory ID:     cisco-sa-ewlc-capwap-dos-gmNjdKOY
First Published: 2021 September 22 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvu73277 CSCvv76805 CSCvw03037 CSCvw53824
CVE Names:       CVE-2021-1565 CVE-2021-34768 CVE-2021-34769
CWEs:            CWE-415 CWE-476 CWE-690

Summary

  o Multiple vulnerabilities in the Control and Provisioning of Wireless Access
    Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco
    Catalyst 9000 Family Wireless Controllers could allow an unauthenticated,
    remote attacker to cause a denial of service (DoS) condition on an affected
    device.

    These vulnerabilities are due to insufficient validation of CAPWAP packets.
    An attacker could exploit the vulnerabilities by sending a malformed CAPWAP
    packet to an affected device. A successful exploit could allow the attacker
    to cause the affected device to crash and reload, resulting in a DoS
    condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-capwap-dos-gmNjdKOY

    This advisory is part of the September 2021 release of the Cisco IOS and
    IOS XE Software Security Advisory Bundled Publication. For a complete list
    of the advisories and links to them, see Cisco Event Response: September
    2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
    Publication.

Affected Products

  o Vulnerable Products

    These vulnerabilities affect the following Cisco products if they are
    running a vulnerable release of Cisco IOS XE Software for Cisco Catalyst
    9000 Family Wireless Controllers:

       Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and
        9500 Series Switches
       Catalyst 9800 Series Wireless Controllers
       Catalyst 9800-CL Wireless Controllers for Cloud
       Embedded Wireless Controller on Catalyst Access Points

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by these vulnerabilities.

    Cisco has confirmed that these vulnerabilities do not affect the following
    Cisco products:

       IOS Software
       IOS XR Software
       Meraki products
       NX-OS Software
       Wireless LAN Controller (WLC) AireOS Software

Workarounds

  o There are no workarounds that address these vulnerabilities.

Fixed Software

  o Cisco has released free software updates that address the vulnerabilities
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides the Cisco Software Checker to identify
    any Cisco Security Advisories that impact a specific software release and
    the earliest release that fixes the vulnerabilities described in each
    advisory ("First Fixed"). If applicable, the tool also returns the earliest
    release that fixes all the vulnerabilities described in all the advisories
    identified ("Combined First Fixed").

    Customers can use the Cisco Software Checker to search advisories in the
    following ways:

       Choose the software and one or more releases
       Upload a .txt file that includes a list of specific releases
       Enter the output of the show version command

    After initiating a search, customers can customize the search to include
    all Cisco Security Advisories, a specific advisory, or all advisories in
    the most recent bundled publication.

    Customers can also use the following form to determine whether a release is
    affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
    Software release-for example, 15.1(4)M2 or 3.13.8S :

    By default, the Cisco Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, customers can use the
    Cisco Software Checker on Cisco.com and check the Medium check box in the
    drop-down list under Impact Rating when customizing a search.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerabilities that are
    described in this advisory.

Source

  o CVE-2021-1565: Cisco would like to thank Marcin Kopec, Fabian Beck, and
    Jiri Kulda of Deutsche Telekom for reporting this vulnerability.

    CVE-2021-34768: This vulnerability was found during the resolution of a
    Cisco TAC support case.

    CVE-2021-34769: This vulnerability was found during internal security
    testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: September 2021 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-capwap-dos-gmNjdKOY

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-SEP-22  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco IOS XE Software for Catalyst 9000 Family Wireless Controllers CAPWAP
Remote Code Execution Vulnerability

Priority:        Critical
Advisory ID:     cisco-sa-ewlc-capwap-rce-LYgj8Kf
First Published: 2021 September 22 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvw08884
CVE Names:       CVE-2021-34770
CWEs:            CWE-122

Summary

  o A vulnerability in the Control and Provisioning of Wireless Access Points
    (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst
    9000 Family Wireless Controllers could allow an unauthenticated, remote
    attacker to execute arbitrary code with administrative privileges or cause
    a denial of service (DoS) condition on an affected device.

    The vulnerability is due to a logic error that occurs during the validation
    of CAPWAP packets. An attacker could exploit this vulnerability by sending
    a crafted CAPWAP packet to an affected device. A successful exploit could
    allow the attacker to execute arbitrary code with administrative privileges
    or cause the affected device to crash and reload, resulting in a DoS
    condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-capwap-rce-LYgj8Kf

    This advisory is part of the September 2021 release of the Cisco IOS and
    IOS XE Software Security Advisory Bundled Publication. For a complete list
    of the advisories and links to them, see Cisco Event Response: September
    2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
    Publication.

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products if they are running
    a vulnerable release of Cisco IOS XE Software for Cisco Catalyst 9000
    Family Wireless Controllers:

       Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and
        9500 Series Switches
       Catalyst 9800 Series Wireless Controllers
       Catalyst 9800-CL Wireless Controllers for Cloud
       Embedded Wireless Controller on Catalyst Access Points

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       IOS Software
       IOS XR Software
       Meraki products
       NX-OS Software
       Wireless LAN Controller (WLC) AireOS Software

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides the Cisco Software Checker to identify
    any Cisco Security Advisories that impact a specific software release and
    the earliest release that fixes the vulnerabilities described in each
    advisory ("First Fixed"). If applicable, the tool also returns the earliest
    release that fixes all the vulnerabilities described in all the advisories
    identified ("Combined First Fixed").

    Customers can use the Cisco Software Checker to search advisories in the
    following ways:

       Choose the software and one or more releases
       Upload a .txt file that includes a list of specific releases
       Enter the output of the show version command

    After initiating a search, customers can customize the search to include
    all Cisco Security Advisories, a specific advisory, or all advisories in
    the most recent bundled publication.

    Customers can also use the following form to determine whether a release is
    affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
    Software release-for example, 15.1(4)M2 or 3.13.8S :

    By default, the Cisco Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, customers can use the
    Cisco Software Checker on Cisco.com and check the Medium check box in the
    drop-down list under Impact Rating when customizing a search.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: September 2021 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-capwap-rce-LYgj8Kf

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-SEP-22  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers EoGRE
Denial of Service Vulnerability

Priority:        High
Advisory ID:     cisco-sa-ewlc-gre-6u4ELzAT
First Published: 2021 September 22 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvx48107
CVE Names:       CVE-2021-1611
CWEs:            CWE-399

Summary

  o A vulnerability in Ethernet over GRE (EoGRE) packet processing of Cisco IOS
    XE Wireless Controller Software for the Cisco Catalyst 9800 Family Wireless
    Controller, Embedded Wireless Controller, and Embedded Wireless on Catalyst
    9000 Series Switches could allow an unauthenticated, remote attacker to
    cause a denial of service (DoS) condition on an affected device.

    This vulnerability is due to improper processing of malformed EoGRE
    packets. An attacker could exploit this vulnerability by sending malicious
    packets to the affected device. A successful exploit could allow the
    attacker to cause the device to reload, resulting in a DoS condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-gre-6u4ELzAT

    This advisory is part of the September 2021 release of the Cisco IOS and
    IOS XE Software Security Advisory Bundled Publication. For a complete list
    of the advisories and links to them, see Cisco Event Response: September
    2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
    Publication.

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco IOS XE Wireless Controller Software if the
    device is running a vulnerable release and has an interface configured with
    an EoGRE tunnel. The following Cisco products are vulnerable:

       Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and
        9500 Series Switches
       Catalyst 9800 Series Wireless Controllers
       Catalyst 9800 Wireless Controller for Cloud
       Embedded Wireless Controller on Catalyst Access Points

    Note : The EoGRE feature is not enabled by default on affected devices. The
    feature can be enabled on interfaces by using either IPv4 or IPv6.

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       IOS Software
       IOS XR Software
       Meraki products
       NX-OS Software
       Wireless LAN Controller (WLC) AireOS Software

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides the Cisco Software Checker to identify
    any Cisco Security Advisories that impact a specific software release and
    the earliest release that fixes the vulnerabilities described in each
    advisory ("First Fixed"). If applicable, the tool also returns the earliest
    release that fixes all the vulnerabilities described in all the advisories
    identified ("Combined First Fixed").

    Customers can use the Cisco Software Checker to search advisories in the
    following ways:

       Choose the software and one or more releases
       Upload a .txt file that includes a list of specific releases
       Enter the output of the show version command

    After initiating a search, customers can customize the search to include
    all Cisco Security Advisories, a specific advisory, or all advisories in
    the most recent bundled publication.

    Customers can also use the following form to determine whether a release is
    affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
    Software release-for example, 15.1(4)M2 or 3.13.8S :

    By default, the Cisco Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, customers can use the
    Cisco Software Checker on Cisco.com and check the Medium check box in the
    drop-down list under Impact Rating when customizing a search.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: September 2021 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-gre-6u4ELzAT

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-SEP-22  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers IPv6 Denial
of Service Vulnerability

Priority:        High
Advisory ID:     cisco-sa-ewlc-ipv6-dos-NMYeCnZv
First Published: 2021 September 22 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvw18506
CVE Names:       CVE-2021-34767
CWEs:            CWE-670

Summary

  o A vulnerability in IPv6 traffic processing of Cisco IOS XE Wireless
    Controller Software for Cisco Catalyst 9000 Family Wireless Controllers
    could allow an unauthenticated, adjacent attacker to cause a Layer 2 (L2)
    loop in a configured VLAN, resulting in a denial of service (DoS) condition
    for that VLAN.

    The vulnerability is due to a logic error when processing specific
    link-local IPv6 traffic. An attacker could exploit this vulnerability by
    sending a crafted IPv6 packet that would flow inbound through the wired
    interface of an affected device. A successful exploit could allow the
    attacker to cause traffic drops in the affected VLAN, thus triggering the
    DoS condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-ipv6-dos-NMYeCnZv

    This advisory is part of the September 2021 release of the Cisco IOS and
    IOS XE Software Security Advisory Bundled Publication. For a complete list
    of the advisories and links to them, see Cisco Event Response: September
    2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
    Publication.

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products if they are running
    a vulnerable release of Cisco IOS XE Software:

       Catalyst 9800 Wireless Controllers
       Catalyst 9800 Wireless Controllers for Cloud

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and
        9500 Series Switches
       Embedded Wireless Controller on Catalyst Access Points
       IOS Software
       IOS XR Software
       Meraki products
       NX-OS Software
       Wireless LAN Controller (WLC) AireOS Software

Details

  o When the wireless controller receives certain link-local IPv6 packets from
    the wired network on a VLAN that is used by wireless networks, those
    packets should be encapsulated in CAPWAP and then relayed to the Access
    Points broadcasting the corresponding wireless networks. However, this
    traffic is also being reflected back through the wireless controller's
    wired interfaces, resulting in a Layer 2 (L2) network loop. This could be
    exploited, leading to heavy traffic disruptions on the network.

    The affected platforms are vulnerable with default configuration. No
    specific IPv6 configuration is required on the device.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides the Cisco Software Checker to identify
    any Cisco Security Advisories that impact a specific software release and
    the earliest release that fixes the vulnerabilities described in each
    advisory ("First Fixed"). If applicable, the tool also returns the earliest
    release that fixes all the vulnerabilities described in all the advisories
    identified ("Combined First Fixed").

    Customers can use the Cisco Software Checker to search advisories in the
    following ways:

       Choose the software and one or more releases
       Upload a .txt file that includes a list of specific releases
       Enter the output of the show version command

    After initiating a search, customers can customize the search to include
    all Cisco Security Advisories, a specific advisory, or all advisories in
    the most recent bundled publication.

    Customers can also use the following form to determine whether a release is
    affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
    Software release-for example, 15.1(4)M2 or 3.13.8S :

    By default, the Cisco Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, customers can use the
    Cisco Software Checker on Cisco.com and check the Medium check box in the
    drop-down list under Impact Rating when customizing a search.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: September 2021 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-ipv6-dos-NMYeCnZv

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-SEP-22  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco IOS XE Software for Cisco cBR-8 Converged Broadband Routers Common Open
Policy Service Denial of Service Vulnerability

Priority:        High
Advisory ID:     cisco-sa-cbr8-cops-Vc2ZsJSx
First Published: 2021 September 22 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCvw49029
CVE Names:       CVE-2021-1622
CWEs:            CWE-833

Summary

  o A vulnerability in the Common Open Policy Service (COPS) of Cisco IOS XE
    Software for Cisco cBR-8 Converged Broadband Routers could allow an
    unauthenticated, remote attacker to cause resource exhaustion, resulting in
    a denial of service (DoS) condition.

    This vulnerability is due to a deadlock condition in the code when
    processing COPS packets under certain conditions. An attacker could exploit
    this vulnerability by sending COPS packets with high burst rates to an
    affected device. A successful exploit could allow the attacker to cause the
    CPU to consume excessive resources, which prevents other control plane
    processes from obtaining resources and results in a DoS.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cbr8-cops-Vc2ZsJSx

    This advisory is part of the September 2021 release of the Cisco IOS and
    IOS XE Software Security Advisory Bundled Publication. For a complete list
    of the advisories and links to them, see Cisco Event Response: September
    2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
    Publication.

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco cBR-8 Converged Broadband Routers if they
    are running a release of Cisco IOS XE Software earlier than Release
    16.12.1z1 or Release 17.3.1x and have the COPS feature enabled.

    Determine Whether COPS is Enabled

    The COPS will listen when either of the following is true:

       COPS TCP port 2126 will be opened with packetcable command
       COPS TCP port 3918 will be opened with packetcable multimedia command

    To determine whether the COPS is listening, log in to the device and issue
    the show running-config | include packetcable CLI command. If the output
    returns either packetcable or packetcable multimedia, as shown in the
    following example, then COPS is listening on the device:

        cBR-8# show running-config | include packetcable
        packetcable
        packetcable multimedia
        cBR-8# 
        
    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       IOS Software
       IOS XR Software
       Meraki products
       NX-OS Software

Workarounds

  o There are no workarounds that address this vulnerability. However, there
    are mitigations:

    Customers who use packetcable or packetcable multimedia and leverage a COPS
    server in their environment can configure Cisco cBR-8 Routers to process
    packets from trusted COPS servers only, as shown in the following example:

        cBR-8# configure terminal
        cBR-8(config)#access-list 55 remark ** Permit only Trusted COPS servers **
        cBR-8(config)#access-list 55 permit
        cBR-8(config)#access-list 55 permit
        cBR-8(config)#access-list 55 deny any
        cBR-8(config)#cops listener access-list 55
        cBR-8#

    Customers who are using packetcable or packetcable multimedia but do not
    leverage a COPS server in their environment can configure Cisco cBR-8
    Routers to deny processing any COPS packets, as shown in following example:

        cBR-8# configure terminal
        cBR-8(config)#access-list 55 remark ** Drop All COPS packets **
        cBR-8(config)#access-list 55 deny any
        cBR-8(config)#cops listener access-list 55
        cBR-8#

    Another way to minimize the impact of this vulnerability is to lower the
    COPS server keep alive setting to a value lower than the routing protocol
    keep alive timers. Having a COPS keep alive setting of 15 seconds will not
    remove the vulnerability, but it would force the COPS connection to be
    automatically renewed and clear the deadlock condition on the Cisco cBR8
    Router code before it impacts other control plane protocols. The keep alive
    setting is controlled by the COPS server.

    While these mitigations have been deployed and were proven successful in a
    test environment, customers should determine the applicability and
    effectiveness in their own environment and under their own use conditions.
    Customers should be aware that any workaround or mitigation that is
    implemented may negatively impact the functionality or performance of their
    network based on intrinsic customer deployment scenarios and limitations.
    Customers should not deploy any workarounds or mitigations before first
    evaluating the applicability to their own environment and any impact to
    such environment.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides the Cisco Software Checker to identify
    any Cisco Security Advisories that impact a specific software release and
    the earliest release that fixes the vulnerabilities described in each
    advisory ("First Fixed"). If applicable, the tool also returns the earliest
    release that fixes all the vulnerabilities described in all the advisories
    identified ("Combined First Fixed").

    Customers can use the Cisco Software Checker to search advisories in the
    following ways:

       Choose the software and one or more releases
       Upload a .txt file that includes a list of specific releases
       Enter the output of the show version command

    After initiating a search, customers can customize the search to include
    all Cisco Security Advisories, a specific advisory, or all advisories in
    the most recent bundled publication.

    Customers can also use the following form to determine whether a release is
    affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
    Software release-for example, 15.1(4)M2 or 3.13.8S :

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: September 2021 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cbr8-cops-Vc2ZsJSx

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-SEP-22  |
    +----------+---------------------------+----------+--------+--------------+


- --------------------------------------------------------------------------------


Cisco IOS XE Software for Cisco cBR-8 Converged Broadband Routers Simple
Network Management Protocol Denial of Service Vulnerability

Priority:        High
Advisory ID:     cisco-sa-cbr8snmp-zGjkZ9Fc
First Published: 2021 September 22 16:00 GMT
Version 1.0:     Final
Workarounds:     Yes
Cisco Bug IDs:   CSCvw60229
CVE Names:       CVE-2021-1623
CWEs:            CWE-399

Summary

  o A vulnerability in the Simple Network Management Protocol (SNMP) punt
    handling function of Cisco cBR-8 Converged Broadband Routers could allow an
    authenticated, remote attacker to overload a device punt path, resulting in
    a denial of service (DoS) condition.

    This vulnerability is due to the punt path being overwhelmed by large
    quantities of SNMP requests. An attacker could exploit this vulnerability
    by sending a large number of SNMP requests to an affected device. A
    successful exploit could allow the attacker to overload the device punt
    path, resulting in a DoS condition.

    Cisco has released software updates that address this vulnerability. There
    are workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cbr8snmp-zGjkZ9Fc

    This advisory is part of the September 2021 release of the Cisco IOS and
    IOS XE Software Security Advisory Bundled Publication. For a complete list
    of the advisories and links to them, see Cisco Event Response: September
    2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
    Publication.

Affected Products

  o Vulnerable Products

    This vulnerability affects Cisco cBR-8 Converged Broadband Routers if they
    are running a vulnerable release of Cisco IOS XE Software and have the SNMP
    server feature enabled.

    For information about which Cisco software releases are vulnerable, see the
    Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       IOS Software
       IOS XR Software
       Meraki products
       NX-OS Software

Details

  o With the fix of Cisco Bug ID CSCvw60229 , as described in this advisory, a
    new SNMP-specific punt-cause has been introduced. The default rate is 512
    packets per second. This can be tuned using the platform punt-policer
    cable-snmp {rate} command. For more information, see the platform
    punt-policer section of Cisco CMTS Cable Command Reference .

    The SNMP packets could be sent over either IPv4 or IPv6. Configurations for
    both SNMP versions 2c and 3 are affected. This vulnerability applies to
    SNMP requests that have valid SNMP community strings or credentials,
    depending on the SNMP version.

Workarounds

  o There is a workaround that addresses this vulnerability.

    Ensure that only trusted systems can poll the Cisco cBR-8 Routers and limit
    those systems to 500 pps or less, as shown in the following example:

        !
        ip access-list extended 100
        10 permit udp host 10.10.10.10 host 192.168.1.1 eq snmp
        ip access-list extended 101
        10 permit udp any host 192.168.1.1 eq snmp
        !
        class-map match-any snmp_trusted
        match access-group 100
        class-map match-any snmp_untrusted
        match access-group 101
        !
        policy-map copp_policy
        ! rate-limit trusted SNMP pkts to 500 pps
        class snmp_trusted
          police rate 500 pps conform-action transmit exceed-action drop
        ! drop all untrusted SNMP pkts (both actions are drop)
        class snmp_untrusted
          police rate 1 pps conform-action drop exceed-action drop
        class class-default
        !
        control-plane
        service-policy input copp_policy

        Where 10.10.10.10 is the IPv4 address of the SNMP Client and
        192.168.1.1 is the IPv4 address on the cBR-8 that the SNMP
        requests are sent to.

    While this workaround has been deployed and was proven successful in a test
    environment, customers should determine the applicability and effectiveness
    in their own environment and under their own use conditions. Customers
    should be aware that any workaround or mitigation that is implemented may
    negatively impact the functionality or performance of their network based
    on intrinsic customer deployment scenarios and limitations. Customers
    should not deploy any workarounds or mitigations before first evaluating
    the applicability to their own environment and any impact to such
    environment.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page , to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
    /en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco IOS and IOS XE Software

    To help customers determine their exposure to vulnerabilities in Cisco IOS
    and IOS XE Software, Cisco provides the Cisco Software Checker to identify
    any Cisco Security Advisories that impact a specific software release and
    the earliest release that fixes the vulnerabilities described in each
    advisory ("First Fixed"). If applicable, the tool also returns the earliest
    release that fixes all the vulnerabilities described in all the advisories
    identified ("Combined First Fixed").

    Customers can use the Cisco Software Checker to search advisories in the
    following ways:

       Choose the software and one or more releases
       Upload a .txt file that includes a list of specific releases
       Enter the output of the show version command

    After initiating a search, customers can customize the search to include
    all Cisco Security Advisories, a specific advisory, or all advisories in
    the most recent bundled publication.

    Customers can also use the following form to determine whether a release is
    affected by any Cisco Security Advisory by entering a Cisco IOS or IOS XE
    Software release-for example, 15.1(4)M2 or 3.13.8S :

    By default, the Cisco Software Checker includes results only for
    vulnerabilities that have a Critical or High Security Impact Rating (SIR).
    To include results for Medium SIR vulnerabilities, customers can use the
    Cisco Software Checker on Cisco.com and check the Medium check box in the
    drop-down list under Impact Rating when customizing a search.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o Cisco Event Response: September 2021 Semiannual Cisco IOS and IOS XE
    Software Security Advisory Bundled Publication

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cbr8snmp-zGjkZ9Fc

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2021-SEP-22  |
    +----------+---------------------------+----------+--------+--------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYUvLKeNLKJtyKPYoAQgcVQ/9F958KUGEDQhLACwwVuU2ENbPFMQzUt4j
6N9IyJ/ceFzVYWTXUUWemizYFiDF9mDyKD1JGS3aV+sO6fRyuzQVRQmNtm+RvWp9
8hjDxE9B/jj/mxw4pMu3PD/iOdwrB83kVUQYsi7WHaE/2AbwzOlDUD26lJGJzmss
uPOM4jCfJTEJK0X0DYvqMEBujNnK7di7Gm4sqcPRsZMyqN9frFOmziwa4Hj4LmOJ
zj4JH0CRFyHB+4+4mbiVoz04bALHzRCLky2DVAzvKji6eWSMZJVuBz/eW8MdH5Mp
b7+JTYTYm+eEq69dOIAv7g1dhbOAuwESJn+HPyyI8KVJBhurRXJ83m1TUkpd4Re6
cSMFJ/SvMyMgBgYhL5NVGQoPTjzlc9zWa3XpFCBEO3RwhHoclHyLstuQAtmEwW1Z
7m7y6ECrzqa5f15Ckpvjr7BOEITlDwtBcKDD//XcFvo2sG8UNDtanRw64IYfkpYD
OUA0LATp8NJOzlumgaPKr/diSE/NBMsT+6MimC4tj4awmkbdK9S8HJLIDzUzPgOW
tROy7Yg0onVTlwcet1rWeIBbq+YGu1x55yGa1sq9ndLlW8uTI9Z3e5KSIoo8zchW
LPgBq4vaPnRuuHwU0eYk+XBW9s78StstR/EAmuPva4ASNog+lKkRzacVTyCPk/JY
EqdyvID7rrg=
=I0tb
-----END PGP SIGNATURE-----