Date: Thu, 10 Jun 1999 14:59:10 -0000 From: psirt@cisco.com To: BUGTRAQ@netspace.org Subject: Cisco security notice: Cisco IOS Software established Access List Keyword Error -----BEGIN PGP SIGNED MESSAGE----- Cisco IOS Software established Access List Keyword Error Revision 1.2 For public release on Thursday, 1999 June 10, at 08:00AM US/Pacific (UTC-0700) =========================================================================== Summary ======= Cisco 12000 series Gigabit Switch Routers running certain versions of Cisco IOS software forward unauthorized traffic due to an error encountered while processing the established keyword in an access-list statement. The resulting vulnerability could be exploited to circumvent a site's security policy. Only Cisco Gigabit Switch Routers (currently the 12008 and 12012 GSRs) running Cisco IOS software release 11.2(14)GS2 through 11.2(15)GS3 are vulnerable. This error is corrected in release 11.2(15)GS5 and later versions. This error is not present in any version of Cisco IOS software release 12.0S and later. Non-GSR releases are not affected. The bug ID associated with this error is CSCdm36197. Who Is Affected =============== A GSR running release 11.2(14)GS2 through 11.2(15)GS3 is vulnerable if the keyword established is used in an access-list statement. A GSR running release 11.2(15)GS5 and later or any version of release 12.0S is not affected. What is Affected ================ The Cisco 12000 series Gigabit Switch Router (GSR) is the only Cisco product that is affected by this vulnerability. Currently the 12008 GSR and the 12012 GSR are the only two models in the series. No other Cisco product is affected by this vulnerability. The Cisco 12000 series Gigabit Switch Router is a large rack-mount device, approximately twenty to sixty inches (0.5 to 1.5meters) tall and twenty inches (0.5 meters) deep, that requires specialized power connections to supply forty to sixty amps of electricity. GSRs are typically used by major Internet Service Providers at their most important interconnection points. If you do not have a Cisco 12000 series GSR, then you are not affected by the vulnerability described in this notice. Description =========== When an affected Cisco Gigabit Switch Router (GSR) executes the following command on an interface: access-list 101 permit tcp any any established the established keyword is ignored. This will cause the GSR to forward all TCP traffic for the relevant interface, contrary to the restriction intended in the access-list statement. Impact ====== This vulnerability can be exploited to circumvent your security policy, resulting in unauthorized access to systems and unauthorized release of information. This may be inadvertent or intentional. Exploiting the flaw requires no special tools or knowledge. It can be determined if your system is vulnerable by attempting to exploit the vulnerability. It is not necessary to make an attempt if it can be determined that you are running one of the affected releases of software on a GSR and a copy of the configuration can be obtained or reverse-engineered. Software Versions and Fixes =========================== This bug, documented as CSCdm36197, initially appears in 11.2(14)GS2, the first release of Cisco IOS software to support access lists on the GSR. The bug is present in versions of Cisco IOS software from 11.2(14)GS2 to 11.2(15)GS3, inclusive. The earliest repaired version is 11.2(15)GS5. If you are running any vulnerable version of 11.2GS and wish to resolve this problem with the least possible change to your existing version of software, you should upgrade to 11.2(15)GS5 or later. This bug is not present in any release of 12.0S, so upgrading to 12.0S or later will also remove the vulnerability. Obtaining Software - ---------------- Cisco is offering free software upgrades to repair this vulnerability for all affected customers. Customers with current support contracts may upgrade to any software version. Customers without support contracts that are running release 11.2(14)GS2 through 11.2(15)GS3 may upgrade to 11.2(15)GS5 or any later 11.2GS release that has been repaired. As always, customers may install only the feature sets they have purchased. Customers with contracts should obtain upgraded software through their normal update channels. For most customers, this means that the upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/. Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC) as follows: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Give the URL of this notice, http://www.cisco.com/warp/public/770/iosgsracl-pub.shtml, as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact or for upgrades. Workarounds =========== If you need the functionality provided by the established keyword for an access-list command, there is no reasonable workaround. Customers may wish to consider modifying the policies on other network components, if possible, to limit exploitation of this vulnerability until such time as they have downloaded a fixed version of software to the affected GSR. Exploitation and Public Announcements ===================================== Cisco knows of no public announcements or discussion of this vulnerability before the date of the public release of this notice. No incidents of malicious exploitation of this vulnerability have been reported to Cisco. This vulnerability was reported to Cisco by a customer. Status of this Notice ===================== This is a final field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. Distribution - ---------- This notice is posted at http://www.cisco.com/warp/public/770/iosgsracl-pub.shtml on Cisco's Worldwide Web site. In addition to Worldwide Web posting, the initial public version of this notice is being distributed via the following mailing lists and Usenet newsgroups: * cust-security-announce@cisco.com * bugtraq@netspace.org * first-teams@first.org (includes CERT/CC) * cisco@spot.colorado.edu * comp.dcom.sys.cisco * firewalls@greatcircle.com * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about receiving new information regarding this advisory are encouraged to check occasionally for any updates. Revision History - -------------- Revision 1.0, 1999-06-08 08:00AM US/Pacific Initial public release (-0700) candidate version Revision 1.1, 1999-06-08 11:00AM US/Pacific Fix boilerplate problem. (-0700) Revision 1.2, 1999-06-08 11:10AM US/Pacific More boilerplate. (-0700) Cisco Product Security Incident Assistance Procedures ===================================================== Cisco's Worldwide Web site contains complete information for reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information directly >from Cisco at http://www.cisco.com/warp/public/791/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. ======================================================================== This notice is copyright 1999 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all dates and version information. ======================================================================== -----BEGIN PGP SIGNATURE----- Version: Big Secret iQEVAwUBN1/OsnLSeEveylnrAQF0ewf7Bh7GBW4+XKVTE5a3pH5VvUZaryzsIP0k 3bSUvbax2I2pVmM3uYpKKgWvXu7YV80+n8pnTTCy8w6l7+Kx4MWvo6ih6Tx41KsN uRhcXLRvGgthymczGnA8LekRJTNqzcEhzv9JELRjKvqfO1yFTKhFq5DqwdPMhJFv CtQhs2Qb7uvHeyGotUgia/+CI9pllhGqc1U2d7LHlNd6ZQQttXow35XNQonpfo/6 J/dzWaaBajH7bKqwLn0zsb/HaQ4Eq/sZuF+TOVdIqkJ9oSRYKN5W6bEluU+ebIUg 5Fl2y6dgyAjkNIw97icHa/tmBQfeZEyCs5pzLmne/la7+iGT0ZmxVw== =rblB -----END PGP SIGNATURE-----