AUSCERT External Security Bulletin Redistribution
                    ESB-1999.077 -- Cisco security notice
           Cisco IOS Software established Access List Keyword Error
                              11 June 1999


Cisco Systems, Inc. has released the following advisory describing a
vulnerability which may allow Cisco 12000 series Gigabit Switch Routers
running certain versions of Cisco IOS software to forward unauthorised
traffic due to an error encountered while processing the established
keyword in an access-list statement.

- --------------------------BEGIN INCLUDED TEXT--------------------


Cisco IOS Software established Access List Keyword Error
Revision 1.2

For public release on Thursday, 1999 June 10, at 08:00AM US/Pacific (UTC-0700)

Cisco 12000 series Gigabit Switch Routers running certain versions of Cisco
IOS software forward unauthorized traffic due to an error encountered while
processing the established keyword in an access-list statement. The
resulting vulnerability could be exploited to circumvent a site's security

Only Cisco Gigabit Switch Routers (currently the 12008 and 12012 GSRs)
running Cisco IOS software release 11.2(14)GS2 through 11.2(15)GS3 are

This error is corrected in release 11.2(15)GS5 and later versions.

This error is not present in any version of Cisco IOS software release 12.0S
and later. Non-GSR releases are not affected.

The bug ID associated with this error is CSCdm36197.

Who Is Affected
A GSR running release 11.2(14)GS2 through 11.2(15)GS3 is vulnerable if the
keyword established is used in an access-list statement.

A GSR running release 11.2(15)GS5 and later or any version of release 12.0S
is not affected.

What is Affected
The Cisco 12000 series Gigabit Switch Router (GSR) is the only Cisco product
that is affected by this vulnerability. Currently the 12008 GSR and the
12012 GSR are the only two models in the series. No other Cisco product is
affected by this vulnerability.

The Cisco 12000 series Gigabit Switch Router is a large rack-mount device,
approximately twenty to sixty inches (0.5 to 1.5meters) tall and twenty
inches (0.5 meters) deep, that requires specialized power connections to
supply forty to sixty amps of electricity. GSRs are typically used by major
Internet Service Providers at their most important interconnection points.
If you do not have a Cisco 12000 series GSR, then you are not affected by
the vulnerability described in this notice.

When an affected Cisco Gigabit Switch Router (GSR) executes the following
command on an interface:

     access-list 101 permit tcp any any established

the established keyword is ignored. This will cause the GSR to forward all
TCP traffic for the relevant interface, contrary to the restriction intended
in the access-list statement.

This vulnerability can be exploited to circumvent your security policy,
resulting in unauthorized access to systems and unauthorized release of
information. This may be inadvertent or intentional. Exploiting the flaw
requires no special tools or knowledge. It can be determined if your system
is vulnerable by attempting to exploit the vulnerability. It is not
necessary to make an attempt if it can be determined that you are running
one of the affected releases of software on a GSR and a copy of the
configuration can be obtained or reverse-engineered.

Software Versions and Fixes
This bug, documented as CSCdm36197, initially appears in 11.2(14)GS2, the
first release of Cisco IOS software to support access lists on the GSR.

The bug is present in versions of Cisco IOS software from 11.2(14)GS2 to
11.2(15)GS3, inclusive. The earliest repaired version is 11.2(15)GS5.

If you are running any vulnerable version of 11.2GS and wish to resolve this
problem with the least possible change to your existing version of software,
you should upgrade to 11.2(15)GS5 or later.

This bug is not present in any release of 12.0S, so upgrading to 12.0S or
later will also remove the vulnerability.

Obtaining Software
- - ----------------
Cisco is offering free software upgrades to repair this vulnerability for
all affected customers. Customers with current support contracts may upgrade
to any software version. Customers without support contracts that are
running release 11.2(14)GS2 through 11.2(15)GS3 may upgrade to 11.2(15)GS5
or any later 11.2GS release that has been repaired. As always, customers may
install only the feature sets they have purchased.

Customers with contracts should obtain upgraded software through their
normal update channels. For most customers, this means that the upgrades
should be obtained via the Software Center on Cisco's Worldwide Web site at

Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC) as follows:

   * +1 800 553 2447 (toll-free from within North America)
   * +1 408 526 7209 (toll call from anywhere in the world)
   * e-mail: tac@cisco.com

Give the URL of this notice,
http://www.cisco.com/warp/public/770/iosgsracl-pub.shtml, as evidence of
your entitlement to a free upgrade. Free upgrades for non-contract customers
must be requested through the TAC.

Please do not contact <psirt@cisco.com> or <security-alert@cisco.com> for

If you need the functionality provided by the established keyword for an
access-list command, there is no reasonable workaround.

Customers may wish to consider modifying the policies on other network
components, if possible, to limit exploitation of this vulnerability until
such time as they have downloaded a fixed version of software to the
affected GSR.

Exploitation and Public Announcements
Cisco knows of no public announcements or discussion of this vulnerability
before the date of the public release of this notice. No incidents of
malicious exploitation of this vulnerability have been reported to Cisco.

This vulnerability was reported to Cisco by a customer.

Status of this Notice
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice.

- - ----------
This notice is posted at


on Cisco's Worldwide Web site. In addition to Worldwide Web posting, the
initial public version of this notice is being distributed via the
following mailing lists and Usenet newsgroups:

   * cust-security-announce@cisco.com
   * bugtraq@netspace.org
   * first-teams@first.org (includes CERT/CC)
   * cisco@spot.colorado.edu
   * comp.dcom.sys.cisco
   * firewalls@greatcircle.com
   * Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about receiving new information regarding this
advisory are encouraged to check occasionally for any updates.

Revision History
- - --------------
 Revision 1.0, 1999-06-08 08:00AM US/Pacific      Initial public release
 (-0700)                                          candidate version

 Revision 1.1, 1999-06-08 11:00AM US/Pacific      Fix boilerplate problem.

 Revision 1.2, 1999-06-08 11:10AM US/Pacific      More boilerplate.

Cisco Product Security Incident Assistance Procedures
Cisco's Worldwide Web site contains complete information for reporting
security vulnerabilities in Cisco products, obtaining assistance with
security incidents, and registering to receive security information directly
from Cisco at


This includes instructions for press inquiries regarding Cisco security

This notice is copyright 1999 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
all dates and version information.
Version: Big Secret


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key