Published:
10 June 1999
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-1999.077 -- Cisco security notice Cisco IOS Software established Access List Keyword Error 11 June 1999 =========================================================================== Cisco Systems, Inc. has released the following advisory describing a vulnerability which may allow Cisco 12000 series Gigabit Switch Routers running certain versions of Cisco IOS software to forward unauthorised traffic due to an error encountered while processing the established keyword in an access-list statement. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Cisco IOS Software established Access List Keyword Error Revision 1.2 For public release on Thursday, 1999 June 10, at 08:00AM US/Pacific (UTC-0700) =========================================================================== Summary ======= Cisco 12000 series Gigabit Switch Routers running certain versions of Cisco IOS software forward unauthorized traffic due to an error encountered while processing the established keyword in an access-list statement. The resulting vulnerability could be exploited to circumvent a site's security policy. Only Cisco Gigabit Switch Routers (currently the 12008 and 12012 GSRs) running Cisco IOS software release 11.2(14)GS2 through 11.2(15)GS3 are vulnerable. This error is corrected in release 11.2(15)GS5 and later versions. This error is not present in any version of Cisco IOS software release 12.0S and later. Non-GSR releases are not affected. The bug ID associated with this error is CSCdm36197. Who Is Affected =============== A GSR running release 11.2(14)GS2 through 11.2(15)GS3 is vulnerable if the keyword established is used in an access-list statement. A GSR running release 11.2(15)GS5 and later or any version of release 12.0S is not affected. What is Affected ================ The Cisco 12000 series Gigabit Switch Router (GSR) is the only Cisco product that is affected by this vulnerability. Currently the 12008 GSR and the 12012 GSR are the only two models in the series. No other Cisco product is affected by this vulnerability. The Cisco 12000 series Gigabit Switch Router is a large rack-mount device, approximately twenty to sixty inches (0.5 to 1.5meters) tall and twenty inches (0.5 meters) deep, that requires specialized power connections to supply forty to sixty amps of electricity. GSRs are typically used by major Internet Service Providers at their most important interconnection points. If you do not have a Cisco 12000 series GSR, then you are not affected by the vulnerability described in this notice. Description =========== When an affected Cisco Gigabit Switch Router (GSR) executes the following command on an interface: access-list 101 permit tcp any any established the established keyword is ignored. This will cause the GSR to forward all TCP traffic for the relevant interface, contrary to the restriction intended in the access-list statement. Impact ====== This vulnerability can be exploited to circumvent your security policy, resulting in unauthorized access to systems and unauthorized release of information. This may be inadvertent or intentional. Exploiting the flaw requires no special tools or knowledge. It can be determined if your system is vulnerable by attempting to exploit the vulnerability. It is not necessary to make an attempt if it can be determined that you are running one of the affected releases of software on a GSR and a copy of the configuration can be obtained or reverse-engineered. Software Versions and Fixes =========================== This bug, documented as CSCdm36197, initially appears in 11.2(14)GS2, the first release of Cisco IOS software to support access lists on the GSR. The bug is present in versions of Cisco IOS software from 11.2(14)GS2 to 11.2(15)GS3, inclusive. The earliest repaired version is 11.2(15)GS5. If you are running any vulnerable version of 11.2GS and wish to resolve this problem with the least possible change to your existing version of software, you should upgrade to 11.2(15)GS5 or later. This bug is not present in any release of 12.0S, so upgrading to 12.0S or later will also remove the vulnerability. Obtaining Software - - ---------------- Cisco is offering free software upgrades to repair this vulnerability for all affected customers. Customers with current support contracts may upgrade to any software version. Customers without support contracts that are running release 11.2(14)GS2 through 11.2(15)GS3 may upgrade to 11.2(15)GS5 or any later 11.2GS release that has been repaired. As always, customers may install only the feature sets they have purchased. Customers with contracts should obtain upgraded software through their normal update channels. For most customers, this means that the upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/. Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC) as follows: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Give the URL of this notice, http://www.cisco.com/warp/public/770/iosgsracl-pub.shtml, as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact <psirt@cisco.com> or <security-alert@cisco.com> for upgrades. Workarounds =========== If you need the functionality provided by the established keyword for an access-list command, there is no reasonable workaround. Customers may wish to consider modifying the policies on other network components, if possible, to limit exploitation of this vulnerability until such time as they have downloaded a fixed version of software to the affected GSR. Exploitation and Public Announcements ===================================== Cisco knows of no public announcements or discussion of this vulnerability before the date of the public release of this notice. No incidents of malicious exploitation of this vulnerability have been reported to Cisco. This vulnerability was reported to Cisco by a customer. Status of this Notice ===================== This is a final field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. Distribution - - ---------- This notice is posted at http://www.cisco.com/warp/public/770/iosgsracl-pub.shtml on Cisco's Worldwide Web site. In addition to Worldwide Web posting, the initial public version of this notice is being distributed via the following mailing lists and Usenet newsgroups: * cust-security-announce@cisco.com * bugtraq@netspace.org * first-teams@first.org (includes CERT/CC) * cisco@spot.colorado.edu * comp.dcom.sys.cisco * firewalls@greatcircle.com * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about receiving new information regarding this advisory are encouraged to check occasionally for any updates. Revision History - - -------------- Revision 1.0, 1999-06-08 08:00AM US/Pacific Initial public release (-0700) candidate version Revision 1.1, 1999-06-08 11:00AM US/Pacific Fix boilerplate problem. (-0700) Revision 1.2, 1999-06-08 11:10AM US/Pacific More boilerplate. (-0700) Cisco Product Security Incident Assistance Procedures ===================================================== Cisco's Worldwide Web site contains complete information for reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information directly from Cisco at http://www.cisco.com/warp/public/791/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. ======================================================================== This notice is copyright 1999 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all dates and version information. ======================================================================== - -----BEGIN PGP SIGNATURE----- Version: Big Secret iQEVAwUBN1/OsnLSeEveylnrAQF0ewf7Bh7GBW4+XKVTE5a3pH5VvUZaryzsIP0k 3bSUvbax2I2pVmM3uYpKKgWvXu7YV80+n8pnTTCy8w6l7+Kx4MWvo6ih6Tx41KsN uRhcXLRvGgthymczGnA8LekRJTNqzcEhzv9JELRjKvqfO1yFTKhFq5DqwdPMhJFv CtQhs2Qb7uvHeyGotUgia/+CI9pllhGqc1U2d7LHlNd6ZQQttXow35XNQonpfo/6 J/dzWaaBajH7bKqwLn0zsb/HaQ4Eq/sZuF+TOVdIqkJ9oSRYKN5W6bEluU+ebIUg 5Fl2y6dgyAjkNIw97icHa/tmBQfeZEyCs5pzLmne/la7+iGT0ZmxVw== =rblB - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It will not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBN25wUih9+71yA2DNAQHgIwP6AieRORNLNJ4R64iArAIl8cBguD5T3fjp WcwwUrCgeBElswwYBotL0ARIjI3gT85og9uCZ7/HJ4E2zIUVtjBSzBRK1yzshxuu uiqVd8p6PTBw05Ux06OZR7C77x9JT0lu0Qfu3n1RnO+s1ufC0Y7P4XiNkOd3jTn6 1xepUASSLFs= =EtM/ -----END PGP SIGNATURE-----