Vigil@nce - Cisco IOS XR: denial of service via the IEEE 802.3 flow control
August 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send an ill formed IEEE 802.3 PAUSE frame to Cisco
IOS XR, in order to trigger a denial of service.
Impacted products: Cisco ASR, IOS XR Cisco.
Severity: 2/4.
Creation date: 23/06/2015.
DESCRIPTION OF THE VULNERABILITY
The Cisco IOS XR product implements the IEEE 802.3 LAN protocol
(slightly different than Ethernet) and its extension IEEE 802.3x
for flow control.
This extension defines a PAUSE frame the role of which is make the
LAN stations stop sending frames for the specified duration.
However, the frame decoder is not complete and some ill formed
frames trigger a fatal error in IOS XR.
An attacker can therefore send an ill formed IEEE 802.3 PAUSE
frame to Cisco IOS XR, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN