cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5128
Views
0
Helpful
11
Replies

Cisco IOS Malformed IPV4 Packet Denial of Service Vulnerability

JungChoi77534
Level 1
Level 1

Hello again,

 

I am seeing the vulnerability listed in the title on our client's C3750X Catalyst switches.


Some of the switches do run older IOS (one is as old as 12.2) but the one that I have been working on to fix is on 15.2(4)E7. I know that E10 is now available but I would think that a vulnerability reported back in years back would be addressed on any of the updates since. 


I even tried creating an ACL to deny 53 55 77 on the switch and assigning it to all 48 interfaces but I am still seeing the scan report this vulnerability.

Perhaps I didn't create the ACL correctly or applied it correctly but I am at a lost as to what to do next. 

 

I have attached a copy of the current running config to see if anyone can point me in the right direction.

 

Thank you

 

11 Replies 11

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Please can you share the Cisco vulnerability ID that you are trying to mitigate?

 

cheers,

Seb.

Hello Seb,

 

This is actually a vulnerability that was picked up by a Qualys scan. It is being listed as a potential vulnerability and has not been confirmed.

 

QID from Qualys is 43051.

Hello,

 

I have the same problem but my device is a switch 2960 and I applied the access list in all the interfaces including the vlans, and every time I run Qualys, it shows the same potential vulnerability. The current OS version is 15.2(7)E2.

 

Extended IP access list 101
30 permit tcp host X.X.X.X eq domain any
40 permit udp host X.X.X.X eq domain any
50 deny 53 any any
60 deny 55 any any
70 deny 77 any any
80 permit ip any any (15548 matches)

 

I want to add that I have the same access list on a Cisco switch 4510, and it blocks ports 53, 55 and 77.

 

Why is not working on a 2960 switch??

 

Any help. Thank you.

Hi there,

In your ACLs, the numbers 53,55 and 77 are protocol numbers not port numbers.

For reference:

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#extacls

https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

 

cheers,

Seb.

HI all,

 

I'm also getting this issue on 2960X IOS version 15.2(7)E3.

His there a solution for this?

Hello,

 

did you apply the transit ACL to all inbound and outbound interfaces ? And still see the vulnerability ?

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030717-blocked

Hi ,

 

yes I applied the ACL except for port 53.

HI,

 

One other question is the version 15 affected by this vulnerability or only version 12 is affected?

 

Hello,

 

according to the official service note, only versions 11.x and 12.x should be affected.

 

Are you using Qualys as well ?

HI ,

 

Yes i'm also using Qualys.

Hello,

 

what if you send traffic to a port on which the ACL is applied, using the protocols denied in the access list ?

 

What does Qualys actually report ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: