Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +---->
[ Title ]
Cisco Systems IOS GRE decapsulation fault
[ Authors ]
FX <fx@phenoelit.de>
Phenoelit Group (http://www.phenoelit.de)
Advisory http://www.phenoelit.de/stuff/CiscoGRE.txt
[ Affected Products ]
Cisco IOS
Tested on: C3550 IOS 12.1(19)
Cisco Bug ID: CSCuk27655, CSCea22552, CSCei62762
CERT Vu ID: <not assinged>
[ Vendor communication ]
07.07.05 Initial Notification, gaus@cisco.com
27.07.05 PSIRT realized that nobody took this bug, Paul Oxman
took over
28.07.05 Paul successfully reproduces the issue
04.08.05 Paul notifies FX about availabe fixes
05.08.05 Paul notifies FX about new side effects discovered
by Cisco
06.09.06 Final advisory going public as coordinated release
*Note-Initial notification by phenoelit
includes a cc to cert@cert.org by default
[ Overview ]
Cisco Systems IOS contains a bug when parsing GRE packets
with GRE source routing information. A specially crafter GRE packet
can cause the router to reuse packet packet data from unrelated
ring buffer memory. The resulting packet is reinjected in the routing
queues.
[ Description ]
The GRE protocol according to RFC1701 supports source routing
different from the one known in IPv4. An optional header is added to
the GRE header containing Source Route Entries for further routing.
GRE header:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1