While these mitigations have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. The keep alive setting is controlled by the COPS server. Having a COPS keep alive setting of 15 seconds will not remove the vulnerability, but it would force the COPS connection to be automatically renewed and clear the deadlock condition on the Cisco cBR8 Router code before it impacts other control plane protocols. However, there are mitigations:Ĭustomers who use packetcable or packetcable multimedia and leverage a COPS server in their environment can configure Cisco cBR-8 Routers to process packets from trusted COPS servers only, as shown in the following example: cBR-8# configure terminalĬBR-8(config)#access-list 55 remark ** Permit only Trusted COPS servers **ĬBR-8(config)#cops listener access-list 55Ĭustomers who are using packetcable or packetcable multimedia but do not leverage a COPS server in their environment can configure Cisco cBR-8 Routers to deny processing any COPS packets, as shown in following example: cBR-8# configure terminalĬBR-8(config)#access-list 55 remark ** Drop All COPS packets **Īnother way to minimize the impact of this vulnerability is to lower the COPS server keep alive setting to a value lower than the routing protocol keep alive timers. There are no workarounds that address this vulnerability. For a complete list of the advisories and links to them, see Cisco Event Response: September 2021 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. This advisory is part of the September 2021 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. This advisory is available at the following link:
A successful exploit could allow the attacker to cause the CPU to consume excessive resources, which prevents other control plane processes from obtaining resources and results in a DoS.Ĭisco has released software updates that address this vulnerability. An attacker could exploit this vulnerability by sending COPS packets with high burst rates to an affected device. This vulnerability is due to a deadlock condition in the code when processing COPS packets under certain conditions. A vulnerability in the Common Open Policy Service (COPS) of Cisco IOS XE Software for Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, remote attacker to cause resource exhaustion, resulting in a denial of service (DoS) condition.
0 kommentar(er)
