Jumbo frames crash Cisco's IPS
Cisco has reported that Jumbo Ethernet frames are not handled properly by its Intrusion Prevention System (IPS). While the IPS is operating in inline mode, malformed packets on a gigabit network interface can cause a kernel panic and freeze the IPS. As a result, the system may no longer alert users in case of further attacks. Only a reboot resolves the situation.
Platforms without gigabit Ethernet are not vulnerable. According to Cisco, promiscuous mode is also unaffected. As jumbo Ethernet frames are generally rejected by internet service providers, attacks are confined to LAN environments. Cisco Intrusion Prevention System versions 5.x up to 5.1(8)E2 as well as 6.x up to 6.0(5)E2 are affected. The vendor plans to release versions 5.1(8)E2 and 6.0(5)E2 on June 20.
A vulnerability has also been reported in the Deterministic Network Enhancer (DNE) shipped with Cisco's VPN Client. Flawed processing of certain ioctl
requests in the dne2000.sys
driver allows local users to execute arbitrary code at kernel privilege level, thereby escalating their privileges. The flaw is said to have been resolved in version 3.21.12.17902 of the driver. According to the US-CERT, Cisco has also fixed the flaw in the Windows VPN Client with version 5.0.03.0530.
See also:
- Cisco Intrusion Prevention System Jumbo Frame Denial of Service, Cisco advisory
- Deterministic Network Enhancer privilege escalation vulnerability, report by the US-CERT
(mba)