Qualys vulnerability scanner, the version of ios is vg224-i6k9s-mz.124-24.T5.bin

The report states:

IPv6 is the "Internet Protocol Version 6", designed by the Internet  Engineering Task Force (IETF) to replace Internet Protocol Version 4  (IPv4).

A vulnerability exists in the processing of IPv6 packets. Crafted  packets from the local segment received on logical interfaces (that is,  tunnels including 6to4 tunnels) as well as physical interfaces can  trigger this vulnerability. Crafted packets cannot traverse a 6to4  tunnel and attack a box across the tunnel.

The crafted packet must be sent from a local network segment to  trigger the attack. This vulnerability cannot be exploited one or more  hops from the IOS device.

NOTE: This check requires that the "Clear Text Password" check box is enabled in your Authentication Preferences.

IMPACT:

Successful exploitation of the vulnerability on Cisco IOS may  result in a reload of the device or execution of arbitrary code.  Repeated exploitation could result in a sustained denial of service  attack or execution of arbitrary code on Cisco IOS devices.

Successful exploitation of the vulnerability on Cisco IOS-XR may  result in a restart of the IPv6 neighbor discovery process. A restart of  this process will only affect IPv6 traffic passing through the system.  All other processes and traffic will be unaffected. Repeated  exploitation could result in a sustained denial of service attack on  IPv6 traffic.

SOLUTION:

Cisco has made free software available to address this vulnerability for all affected customers.

Workaround:
In networks where IPv6 is not needed but enabled, disabling IPv6  processing on an IOS device will eliminate exposure to this  vulnerability. On a router which is configured for IPv6, this must be  done by issuing the command "no ipv6 enable" and "no ipv6 address" on  each interface.

VG224-1(config)#no ipv6 enable

                                               ^

% Invalid input detected at '^' marker.

VG224-1(config)#int fa0/0

VG224-1(config-if)#no ipv6 enable

VG224-1(config-if)#int fa0/1    

VG224-1(config-if)#no ipv6 enable

What does the note in bold mean? There's no check box in cli :-/

Thank you

Does it just scan the configuration information or does it actually test for the vulnerability by probing?

Does it refer to a specific Cisco Security Advisory?

Based on the text you included (which seems to be directly copied from Cisco documents without attribution), it sounds like this may be referring to:

http://www.cisco.com/en/US/products/csa/cisco-sa-20050126-ipv6.html

Which is an ancient vulnerability.   12.4T never had that bug.

I think your next call should be to Qualsys.

I don't understand the bold text either.  That is the only text not lifted verbatim from the Cisco Security Advisory.

Hi Phillip,

The reply I got is the below:

So have I correctly disabled ipv6? :-/

Thanks for your help

Having said this I found the below - should have checked before. I cant actually see this interface in the show interface output.

VG224-1#show ipv6 route

IPv6 Routing Table - Default - 1 entries

Codes: C - Connected, L - Local, S - Static, U - Per-user Static route

       R - RIP

L   FF00::/8 [0/0]

     via Null0, receive

VG224-1(config)# interface Null0

VG224-1(config-if)#no ipv6 ? 

  unreachables  Enable sending of ICMP Unreachable messages

VG224-1(config-if)#ipv    

VG224-1(config-if)#ipv6 ?

  unreachables  Enable sending of ICMP Unreachable messages

Do voice GW's use the Null 0 interface and for what purpose? There's no way of disabling ipv6 under the interface...?