CVE-2015-6279

Name of the Vulnerable Software and Affected Versions Cisco IOS versions 12.2, 15.0, 15.1, 15.2, 15.3, 15.4, and 15.5 Cisco IOS XE versions 3.2SE, 3.3SE, 3.3XO, 3.4SG, 3.5E, and 3.6E before 3.6.3E Cisco IOS XE versions 3.7E before 3.7.2E Cisco IOS XE versions 3.9S and 3.10S before 3.10.6S Cisco IOS XE versions 3.11S before 3.11.4S Cisco IOS XE versions 3.12S and 3.13S before 3.13.3S Cisco IOS XE versions 3.14S before 3.14.2S

Description The issue is related to the IPv6 snooping functionality in the first-hop security subsystem, which allows remote attackers to cause a denial of service (device reload) via a malformed ND packet with the Cryptographically Generated Address (CGA) option. This is due to insufficient input validation. An unauthenticated, remote attacker could exploit this to cause an affected device to reload.

Recommendations For Cisco IOS versions 12.2, 15.0, 15.1, 15.2, 15.3, 15.4, and 15.5, update to a fixed version. For Cisco IOS XE versions 3.2SE, 3.3SE, 3.3XO, 3.4SG, 3.5E, and 3.6E, update to version 3.6.3E or later. For Cisco IOS XE versions 3.7E, update to version 3.7.2E or later. For Cisco IOS XE versions 3.9S and 3.10S, update to version 3.10.6S or later. For Cisco IOS XE versions 3.11S, update to version 3.11.4S or later. For Cisco IOS XE versions 3.12S and 3.13S, update to version 3.13.3S or later. For Cisco IOS XE versions 3.14S, update to version 3.14.2S or later.