120 lines
4.9 KiB
Plaintext
120 lines
4.9 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
CA-92:20 CERT Advisory
|
|
December 10, 1992
|
|
Cisco Access List Vulnerability
|
|
- -----------------------------------------------------------------------------
|
|
|
|
The CERT Coordination Center has received information concerning a
|
|
vulnerability with Cisco routers when access lists are utilized. This
|
|
vulnerability is present in Cisco software releases 8.2, 8.3, 9.0 and 9.1.
|
|
|
|
Cisco Systems and CERT strongly recommend that sites using Cisco routers
|
|
for firewalls take immediate action to eliminate this vulnerability from
|
|
their networks.
|
|
|
|
This vulnerability is fixed in Cisco software releases 8.3 (update 5.10),
|
|
9.0 (update 2.5), 9.1 (update 1.1) and in all later releases. Customers
|
|
who are using software release 8.2 and do not want to upgrade to a later
|
|
release should contact Cisco's Technical Assistance Center (TAC) at
|
|
800-553-2447 (Internet: tac@cisco.com) for more information.
|
|
|
|
The following interim releases are available via anonymous FTP from
|
|
ftp.cisco.com (131.108.1.111).
|
|
|
|
Note: this FTP server will not allow filenames to be listed or matched
|
|
with wildcards. You also cannot request the file by its full pathname.
|
|
You must first cd to the desired directory (beta83_dir, beta90_dir, or
|
|
beta91_dir) and then request the file desired (gs3-bfx.83-5.10, etc.).
|
|
|
|
Release (Update) Filename Size Checksum
|
|
8.3 (5.10) /beta83_dir/gs3-bfx.83-5.10 1234696 02465 1206
|
|
9.0 (2.5) /beta90_dir/gs3-bfx.90-2.5 1705364 47092 1666
|
|
9.1 (1.1) /beta91_dir/gs3-k.91-1.1 2005548 59407 1959
|
|
|
|
These releases are also available on Cisco's Customer Information On-Line
|
|
(CIO) service for those customers having a maintenance contract.
|
|
Other customers may obtain these releases through Cisco's Technical
|
|
Assistance Center or by contacting their local Cisco distributor.
|
|
|
|
- -----------------------------------------------------------------------------
|
|
|
|
I. Description
|
|
|
|
A vulnerability in Cisco access lists allows some packets to be
|
|
erroneously routed which one would expect to be filtered by the access
|
|
list and vice-versa. This vulnerability can allow unauthorized traffic
|
|
to pass through the gateway and can block authorized traffic.
|
|
|
|
II. Problem
|
|
|
|
If a Cisco router is configured to use extended IP access lists for
|
|
traffic filtering on an MCI, SCI, cBus or cBusII interface, and the IP
|
|
route cache is enabled, and the "established" keyword is used in the
|
|
access list, then the access list can be improperly evaluated. This
|
|
can permit packets which should be filtered and filter packets which
|
|
should be permitted.
|
|
|
|
III. Workaround
|
|
|
|
This vulnerability can be avoided by either rewriting the extended
|
|
access list to not use the "established" keyword, or by configuring
|
|
the interface to not use the IP route cache. To disable the IP route
|
|
cache, use the configuration command "no ip route-cache".
|
|
|
|
Example for a serial interface:
|
|
router>enable
|
|
|
|
Password:
|
|
router#configure terminal
|
|
|
|
Enter configuration commands, one per line.
|
|
Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z
|
|
interface serial 0
|
|
no ip route-cache
|
|
^Z
|
|
router#write memory
|
|
|
|
IV. Solution
|
|
|
|
Obtain and install the appropriate interim release listed above.
|
|
Sites which are not experienced at this installation process
|
|
should contact the TAC center at 800-553-2447 for assistance.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
The CERT Coordination Center wishes to thank Keith Reynolds of the
|
|
Santa Cruz Operation for his assistance in identifying this problem
|
|
and Cisco Systems for their assistance in providing technical information
|
|
for this advisory.
|
|
- ---------------------------------------------------------------------------
|
|
If you believe that your system has been compromised, contact the CERT
|
|
Coordination Center or your representative in FIRST (Forum of Incident
|
|
Response and Security Teams).
|
|
|
|
Internet E-mail: cert@cert.org
|
|
Telephone: 412-268-7090 (24-hour hotline)
|
|
CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
|
|
on call for emergencies during other hours.
|
|
|
|
CERT Coordination Center
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Past advisories, information about FIRST representatives, and other
|
|
information related to computer security are available for anonymous FTP
|
|
from cert.org (192.88.209.5).
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMxFXVP+x0t4w7BAQGblQQAr2ROr7saxHjjuDQZ962vwMDrYZ66tobu
|
|
k1CkBthqW7YtkKx2bFfsS9B/rPTeVO4WriAcD0TYHVfra0SOUB+tvB9+oRje9feC
|
|
stxmfkRhSUMwl6jQAAN7mFZAOK1ALz779iMm3R+qHjqtIo4n92IyHKm8teeRmZxP
|
|
CpIAkplfA6A=
|
|
=k0fp
|
|
-----END PGP SIGNATURE-----
|
|
|