TCP State Manipulation DOS vulnerability & IOS version question

Unanswered Question
Jan 16th, 2010

Hi all

Does anyone know if IOS version 12.1(27b)E4 protects against the above vulnerability (CVE-2008-4609)?

It's the latest available version of 12.1 in Software Centre for MSFC2 for a 6509 so it probably does but I need to know for sure.

The following doc lists all software versions and fixes for most other IOS versions but doesn't specify the required version for 12.1E. It's on an old 6509 in Hybrid mode, upgrade to Native mode isn't an option at the moment.

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
glen.grant Sat, 01/16/2010 - 13:47

   I think 12.1 is considered a dead eol train at this point.  That version you are looking at came out in early 2008 and that advisory late 2009 so no it would not be covered.

Update:   I was correct , found this for that train.  It also corresponds to the last release date which was March 2008 .

End of software maintenance releases date

The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software.


Service Delivery Sat, 01/16/2010 - 14:09

Thanks for replying, makes sense in terms of the dates involved. Do you know what the latest software versions you can have in Hybrid mode with Sup2/MSFC2? CatOS is 7.6(24a) as per the advisory. IOS is currently 12.1(27b)E4.

Just trying to figure out whether the IOS update required to comply with the advisory is gonna mean going to Native mode. I think anything from 12.2 onwards requires Sup720 upgrade and you guessed it, Sup upgrade not an option, the entire network is gonna be binned in 12 months but has to be compliant up till that time.

glen.grant Sat, 01/16/2010 - 17:08

Unfortunetly I think your only options are going to be leave it like it is or go native .  It looks like native does have an image that complies but you know the whole caveat that goes with  that as far as nvram and flash capacity  which will be considerably  more for the native requirements.  Here is the latest native image.  Where I work we have a number of these under the same constraints and none of them have enough nvram and flash to upgrade so they are staying at the current version until they get replaced.

Release Date: 30/Sep/2009

Size: 50152.04 KB  (51355684 bytes)
Minimum Memory: DRAM:256 MB  Flash:64 MB

Here are the bulletin fix releases so I think it falls under the fix version.

12.2SXF            12.2(18)SXF16                       12.2(18)SXF17; Available on 30-SEP-2009

Service Delivery Wed, 01/27/2010 - 02:06

Hi there

Sorry for belated reply and thanks for your input Glen. TAC have confirmed the way to go is upgrade CatOS to 7.6(24a) and upgrade IOS to 12.2(18)SXF17, stay in Hybrid mode and upgrade any memory as required. Going to Native would be the obvious choice but the customer wants minimise time and money spent on this as they're walking away from it in Dec so they wanna avoid the big CatOS to IOS config rewrite!!

Thanks again!


This Discussion