CISCO-SA-ISIS-DOS-KDMXPSZK

Vulnerable Products:

This vulnerability affects Cisco devices if they are running a vulnerable release of Cisco IOS XR Software and have the IS-IS multi-instance routing feature enabled.

For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory.

Determine Whether the Device Has a Vulnerable Configuration

To determine whether a device is configured for IS-IS multi-instance routing, use the show running-config router isis | include instance-id EXEC CLI command. If the command returns at least one instance-id, the device is configured for IS-IS multi-instance routing and is affected by this vulnerability, as shown in the following example:

RP/0/RP0/CPU0:ios#show running-config router isis | include instance-id Mon Feb 9 17:30:18.448 UTC instance-id 1 RP/0/RP0/CPU0:ios#

If the command returns no output, the device is not affected by this vulnerability.Products Confirmed Not Vulnerable:

Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

IOS Software IOS XE Software NX-OS SoftwareWorkarounds:

There are no workarounds that address this vulnerability.

As a mitigation, configure IS-IS area authentication. This would require an attacker to authenticate successfully to the IS-IS area before they are able to form an adjacency and exploit this vulnerability. For more information on configuring IS-IS authentication, see the IS-IS Authentication ["https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/routing/24xx/configuration/guide/b-routing-cg-ncs5500-24xx/implementing-isis.html#con_1276647"] section of the Routing Configuration Guide for Cisco NCS 5500 Series Routers, IOS XR Release 24.1.x, 24.2.x, 24.3.x, 24.4.x.

While this mitigation has been deployed and was proven successful in a test environment,...