Cisco Aggregate Services Router 9000 ASR9K Security Bypass Vulnerability

A vulnerability in the Object-ACL matching process of Cisco Aggregation Services Router 9000 (ASR9K) could allow an unauthenticated, remote attacker to bypass the protection offered by a configured access control list (ACL) on an affected device.

The vulnerability is due to ASR9K incorrectly handling host access control entries by incorrectly matching any address instead of the specified host address. An attacker could exploit this vulnerability to bypass the access control list leading to traffic loss or unwanted permits.

Cisco has confirmed the vulnerability and released software updates.

The impact of an exploit depends on ACLs in use on the affected system. Attackers who could bypass the configured ACLs could gain access to restricted network resources, possibly resulting in attackers gaining access to critical systems. Affected systems are not impacted if no ACLs are configured, or ACLs do not use host values.

Specialized exploit code is not required to exploit the vulnerability.