Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

 Cisco Aggregate Services Router 9000 ASR9K Security Bypass Vulnerability
                               13 April 2015


        AusCERT Security Bulletin Summary

Product:           Cisco Aggregate Services Router 9000
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-0694  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Alert

Cisco Aggregate Services Router 9000 ASR9K Security Bypass Vulnerability

Threat Type: CWE-264: Permissions, Privileges, and Access Control

IntelliShield ID: 38292

Version: 1

First Published: 2015 April 09 20:41 GMT

Last Published: 2015 April 09 20:41 GMT

Port: Not available

CVE: CVE-2015-0694

Urgency: Unlikely Use

Credibility: Confirmed

Severity: Mild Damage

CVSS Base: 5.0 CVSS Calculator

CVSS Version 2.0

CVSS Temporal: 4.1

Version Summary: Cisco Aggregation Services Router 9000 software contains a 
vulnerability that could allow an attacker to bypass security protections.


A vulnerability in the Object-ACL matching process of Cisco Aggregation 
Services Router 9000 (ASR9K) could allow an unauthenticated, remote attacker 
to bypass the protection offered by a configured access control list (ACL) on
an affected device.

The vulnerability is due to ASR9K incorrectly handling host access control 
entries by incorrectly matching any address instead of the specified host 
address. An attacker could exploit this vulnerability to bypass the access 
control list leading to traffic loss or unwanted permits.

Cisco has confirmed the vulnerability and released software updates.

Warning Indicators

At the time this alert was first published, Cisco Aggregation Services Router
9000 software version 5.3.0.BASE was vulnerable. Other versions of Cisco 
Aggregation Services Router 9000 software may also be affected.

IntelliShield Analysis

The impact of an exploit depends on ACLs in use on the affected system. 
Attackers who could bypass the configured ACLs could gain access to restricted
network resources, possibly resulting in attackers gaining access to critical
systems. Affected systems are not impacted if no ACLs are configured, or ACLs
do not use host values.

Specialized exploit code is not required to exploit the vulnerability.

Vendor Announcements

Cisco has released bug ID CSCur28806 for registered users that contains 
additional details and an up-to-date list of affected product versions.


An unauthenticated, remote attacker could exploit this vulnerability to bypass
ACL protections and gain access to restricted network resources, possibly 
leading to information disclosure or unauthorized access.

Technical Information

The vulnerability is due to improper matching of addresses within access 
control list (ACL) entries. The affected software matches any address when the
host address is used in ACLs.

An unauthenticated, remote attacker could exploit the vulnerability by sending
network requests to the targeted device. The improper processing of the source
addresses could allow the attacker to bypass access control lists and possibly
gain unauthorized access to network resources that should be restricted.


Administrators are advised to apply the appropriate updates.

Administrators are advised to replace the host value in configured ACLs with 
the ip/32 value.

Administrators are advised to monitor affected systems.


Cisco customers with active contracts can obtain updates through the Software
Center at the following link: Cisco. Cisco customers without contracts can 
obtain upgrades by contacting the Cisco Technical Assistance Center at 
1-800-553-2447 or 1-408-526-7209 or via email at tac@cisco.com.

Alert History

Initial Release

Product Sets

The security vulnerability applies to the following combinations of products.

Primary Products:

Cisco Cisco ASR 9000 Series Aggregation Services Routers 5.3.0 Base

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967