CVE-2016-6355

Name of the Vulnerable Software and Affected Versions Cisco IOS XR versions 5.1.x through 5.1.3 Cisco IOS XR versions 5.2.x through 5.2.5 Cisco IOS XR versions 5.3.x through 5.3.2

Description A memory leak in Cisco IOS XR Software for Cisco ASR 9001 Aggregation Services Routers allows remote attackers to cause a denial of service (control-plane protocol outage) via crafted fragmented packets. The vulnerability is due to improper handling of crafted, fragmented packets that are directed to an affected device. An attacker could exploit this vulnerability by sending crafted, fragmented packets to an affected device for processing and reassembly. A successful exploit could allow the attacker to cause a memory leak on the route processor (RP) of the device, which could cause the device to drop all control-plane protocols and eventually lead to a denial of service condition on the targeted system.

Recommendations For Cisco IOS XR versions 5.1.x through 5.1.3, update to a fixed software version. For Cisco IOS XR versions 5.2.x through 5.2.5, update to a fixed software version. For Cisco IOS XR versions 5.3.x through 5.3.2, update to a fixed software version. As a temporary mitigation, consider implementing measures to restrict the receipt of crafted, fragmented packets to minimize the risk of exploitation.