Cisco has confirmed that Cisco IOS XR Software, Cisco IOS Software, Cisco IOS XE Software, Cisco NX-OS Software, Cisco ASA Software, and Cisco StarOS Software are affected by the vulnerability described in this advisory.Note: Affected devices that are configured with a global IPv6 address on at least one interface and are processing traffic can be exploited by a remote attacker.

Affected devices that are configured with only a link-local address on interfaces and are processing IPv6 traffic can be exploited with crafted packets only by a Layer 2 adjacent attacker.For information about which software releases are affected, see the “Fixed Software” section of this advisory.Cisco IOS XR SoftwareThe following Cisco products are affected by this vulnerability if they are running an affected release of Cisco IOS XR Software and IPv6 is enabled on one or more interfaces:Cisco 12000 Series Routers
Cisco ASR 9000 Series Aggregation Services Routers
Cisco Carrier Routing System
Cisco Network Convergence System 4000 Series
Cisco Network Convergence System 6000 Series Routers
All types of line cards on those platforms are affected by this vulnerability.If a device is running an affected release of Cisco IOS XR Software and IPv6 is enabled, administrators can identify interfaces that have assigned IPv6 addresses by using the show ipv6 interface brief command in the command-line interface (CLI).

The following example shows the output of the command on a device that is running Cisco IOS XR Software with IPv6 enabled:

RP/0/RP0/CPU0:router# show ipv6 interface brief<!output omitted> GigabitEthernet0/2/0/0 [Up/Up]fe80::212:daff:fe62:c150 202::1

In addition, if IPv6 is enabled, the ipv6 enable interface configuration command is present in the configuration.

The following example shows the output of a vulnerable configuration:

RP/0/RP0/CPU0:router(config)# interface GigabitEthernet0/2/0/0 RP/0/RP0/CPU0:router(config-if)# ipv6 enable

If IPv6 is not supported by the Cisco IOS XR Software release that is running on a device, use of the show ipv6 interface brief command produces an error message.
If IPv6 is not enabled on the device, use of the show ipv6 interface brief command does not show any interfaces with IPv6 addresses.
In either scenario, the device is not affected by this vulnerability.Cisco IOS Software Cisco products are affected by this vulnerability if they are running an affected release of Cisco IOS Software and IPv6 is enabled on one or more interfaces. By default, IPv6 is not enabled.To determine whether IPv6 is enabled on one or more interfaces, administrators can use the show running-config | include ipv6.(enable|address) privileged EXEC command in the CLI.
If IPv6 is enabled, ipv6 enable and ipv6 address appear in the output of the command.The following example shows the output of the show running-config | include ipv6.(enable|address) command on a device that is running Cisco IOS XE Software with IPv6 configured:

Router# show running-config | include ipv6.(enable|address) ipv6 enable
ipv6 address dhcp rapid-commitipv6 address autoconfig
ipv6 address MANAGEMENT ::1FFF:0:0:0:3560/128ipv6 address 2001:DB8::1/64

Cisco IOS XE SoftwareThe following Cisco products are affected by this vulnerability if they are running an affected release of Cisco IOS XE Software and IPv6 is enabled on one or more interfaces that process traffic:Cisco 4300 Series Integrated Services Routers
Cisco 4400 Series Integrated Services Routers
Cisco ASR 900 Series Aggregation Services Routers
Cisco ASR 1000 Series Aggregation Services Routers
Cisco Cloud Services Router 1000V Series
Switches running Cisco IOS XE Software

By default, IPv6 is not enabled.This vulnerability does not depend on any specific combination of Embedded Services Processor (ESP) and Route Processor (RP) installations on the chassis.

Any combination of ESP and RP chassis installations is affected by this vulnerability.To determine whether IPv6 is enabled on one or more interfaces, administrators can use the show running-config | include ipv6.(enable|address) privileged EXEC command in the CLI.
If IPv6 is enabled, ipv6 enable or ipv6 address appear in the output of the command.The following example shows the output of the show running-config | include ipv6.(enable|address) command on a device that is running Cisco IOS XE Software with IPv6 configured:

Router# show running-config | include ipv6.(enable|address) ipv6 enable
ipv6 address dhcp rapid-commitipv6 address autoconfig
ipv6 address MANAGEMENT ::1FFF:0:0:0:3560/128ipv6 address 2001:DB8::1/64

Cisco NX-OS SoftwareAll Cisco products running Cisco NX-OS Software are affected by this vulnerability if IPv6 is enabled on one or more interfaces that process traffic.

By default, IPv6 is not enabled.To determine whether IPv6 is enabled on one or more interfaces, administrators can use the show running-config | include ipv6.address privileged EXEC command in the CLI.
If IPv6 is enabled, ipv6 address appears in the output of the command.The following example shows the output of the show running-config | include ipv6.address command on a device that is running Cisco NX-OS Software with IPv6 enabled:

Router# show running-config | include ipv6.address ipv6 address 2001:DB8::1/64

Cisco ASA SoftwareIPv6 is not enabled by default.

To enable IPv6 on a Cisco ASA or Cisco ASASM, at a minimum a link-local address needs to be configured for IPv6 to operate correctly.
If a global address is configured, a link-local address is automatically configured on each interface. To verify that the Cisco ASA or Cisco ASASM has IPv6 enabled, administrators can use the show ipv6 interface command in the CLI and confirm that the command returns output.

The following example shows a Cisco ASA that has two interfaces (inside and outside) configured and IPv6 enabled:

ciscoasa# show ipv6 interface
outside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::219:2fff:fe83:4f42
No global unicast address is configured
Joined group address(es):
ff02::1
ff02::1:ff83:4f42
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses.
inside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::219:2fff:fe83:4f43
No global unicast address is configured
Joined group address(es):
ff02::1
ff02::1:ff83:4f43
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses.

Cisco StarOS SoftwareCisco ASR 5000 Series devices running Cisco StarOS Software are affected by this vulnerability if IPv6 is enabled on one or more interfaces that process traffic.

By default, IPv6 is not enabled.To determine whether IPv6 is enabled on one or more interfaces, administrators can use the show ipv6 interface summary privileged EXEC command in the CLI.
If IPv6 is enabled, an IPv6 address appears in the output of the command.The following example shows the output of the show ipv6 interface summary command on a device that is running Cisco StarOS Software with IPv6 enabled:

[local]router# show ipv6 interface summary Friday February 21 09:00:07 UTC 2014Interface Name Address/Mask Port Status============================== =================== ================== ======int1_test_v6 2001:db8::1/64 20/1 vlan 122 UPint2_test_v6 2001:db8::2/64 21/1 vlan 122 UPint3_test_v6 2001:db8::3/64 22/1 vlan 122 UPint4_test_v6 2001:db8::4/64 23/1 vlan 130 UP

Determining the Cisco IOS XR Software ReleaseTo determine which Cisco IOS XR Software release is running on a device and the name of the device on which it is running, administrators can log in to the device and use the show version command in the CLI.
If the device is running Cisco IOS XR Software, Cisco IOS XR Software or similar text appears in the system banner.

The location and name of the system image file that is currently running on the device appears next to the System image file is text.

The name of the hardware product appears on the line after the name of the system image file.The following example shows the output of the show version command on a device that is running Cisco IOS XR Software Release 4.1.0 with an installed image name of mbihfr-rp.vm:

RP/0/RP0/CPU0:router# show version Mon May 31 02:14:12.722 DSTCisco IOS XR Software, Version 4.1.0Copyright (c) 2010 by Cisco Systems, Inc.ROM: System Bootstrap, Version 2.100(20100129:213223) [CRS-1 ROMMON], router uptime is 1 week, 6 days, 4 hours, 22 minutesSystem image file is “bootflash:disk0/hfr-os-mbi-4.1.0/mbihfr-rp.vm”cisco CRS-8/S (7457) processor with 4194304K bytes of memory.7457 processor at 1197Mhz, Revision 1.2

Determining the Cisco IOS Software ReleaseTo determine which Cisco IOS Software release is running on a Cisco product, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears.
If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software.

The image name appears in parentheses followed by the Cisco IOS Software release number and release name.
Some Cisco devices do not support the show version command or may provide different output.The following example identifies a Cisco product that is running Cisco IOS Software Release 15.5(2)T1 with an installed image name of C2951-UNIVERSALK9-M:

Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2015 by Cisco Systems, Inc.Compiled Mon 22-Jun-15 09:32 by prod_rel_team…

Determining the Cisco IOS XE Software ReleaseTo determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device and use the show version command in the CLI.
If the device is running Cisco IOS XE Software, Cisco IOS XE Software or similar text appears in the system banner. The following example shows the output of the show version command on a device that is running Cisco IOS XE Software Release 3.6.2S, which maps to Cisco IOS Software Release 15.2(2)S2: 

Router# show version Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S2, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2012 by Cisco Systems, Inc.Compiled Tue 07-Aug-12 13:40 by mcpre

Determining the Cisco NX-OS Software ReleaseTo determine which Cisco NX-OS Software release is running on a device, administrators can log in to the device and use the show version command in the CLI.
If the device is running Cisco NX-OS Software, Cisco Nexus Operating System (NX-OS) Software or similar text appears in the system banner.The following example shows the output of the show version command for a Cisco Nexus 5000 Series Switch running Cisco NX-OS Software Release 7.1(1)N1(1): 

# show versionCisco Nexus Operating System (NX-OS) SoftwareTAC support: http://www.cisco.com/tacDocuments: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.htmlCopyright (c) 2002-2012, Cisco Systems, Inc.

All rights reserved.The copyrights to certain works contained herein are owned byother third parties and are used and distributed under license.Some parts of this software are covered under the GNU PublicLicense.

A copy of the license is available athttp://www.gnu.org/licenses/gpl.html.SoftwareBIOS: version 3.6.0loader: version N/Akickstart: version 7.1(1)N1(1)system: version 7.1(1)N1(1)

Determining the Cisco ASA Software ReleaseTo determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version command.

The following example shows a device running Cisco ASA Software Release 8.4(1):

ciscoasa#show version | include VersionCisco Adaptive Security Appliance Software Version 8.4(1) Device Manager Version 6.4(1)

Customers who use Cisco ASDM to manage devices can locate the software release in the table that appears in the login window or the upper-left corner of the Cisco ASDM window.Determining the Cisco StarOS Software ReleaseTo determine which Cisco StarOS Software release is running on a Cisco product, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. Each software image can be identified by its release version and its corresponding build number. The following example identifies a Cisco product that is running Cisco StarOS Software Release 15.0 (49328):

[local<host_name># show versionActive Software:Image Version: 15.0 (49328)Image Branch Version: 015.000(001)Image Description: Production_BuildImage Date: Tue Apr 23 00:45:12 EDT 2013Boot Image: Unknown