cisco.12000.ios.11.2.txt

`Date: Thu, 10 Jun 1999 14:59:10 -0000  
From: [email protected]  
To: [email protected]  
Subject: Cisco security notice: Cisco IOS Software established Access List Keyword Error  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
Cisco IOS Software established Access List Keyword Error  
Revision 1.2  
  
For public release on Thursday, 1999 June 10, at 08:00AM US/Pacific (UTC-0700)  
===========================================================================  
  
Summary  
=======  
Cisco 12000 series Gigabit Switch Routers running certain versions of Cisco  
IOS software forward unauthorized traffic due to an error encountered while  
processing the established keyword in an access-list statement. The  
resulting vulnerability could be exploited to circumvent a site's security  
policy.  
  
Only Cisco Gigabit Switch Routers (currently the 12008 and 12012 GSRs)  
running Cisco IOS software release 11.2(14)GS2 through 11.2(15)GS3 are  
vulnerable.  
  
This error is corrected in release 11.2(15)GS5 and later versions.  
  
This error is not present in any version of Cisco IOS software release 12.0S  
and later. Non-GSR releases are not affected.  
  
The bug ID associated with this error is CSCdm36197.  
  
Who Is Affected  
===============  
A GSR running release 11.2(14)GS2 through 11.2(15)GS3 is vulnerable if the  
keyword established is used in an access-list statement.  
  
A GSR running release 11.2(15)GS5 and later or any version of release 12.0S  
is not affected.  
  
What is Affected  
================  
The Cisco 12000 series Gigabit Switch Router (GSR) is the only Cisco product  
that is affected by this vulnerability. Currently the 12008 GSR and the  
12012 GSR are the only two models in the series. No other Cisco product is  
affected by this vulnerability.  
  
The Cisco 12000 series Gigabit Switch Router is a large rack-mount device,  
approximately twenty to sixty inches (0.5 to 1.5meters) tall and twenty  
inches (0.5 meters) deep, that requires specialized power connections to  
supply forty to sixty amps of electricity. GSRs are typically used by major  
Internet Service Providers at their most important interconnection points.  
If you do not have a Cisco 12000 series GSR, then you are not affected by  
the vulnerability described in this notice.  
  
Description  
===========  
When an affected Cisco Gigabit Switch Router (GSR) executes the following  
command on an interface:  
  
access-list 101 permit tcp any any established  
  
the established keyword is ignored. This will cause the GSR to forward all  
TCP traffic for the relevant interface, contrary to the restriction intended  
in the access-list statement.  
  
Impact  
======  
This vulnerability can be exploited to circumvent your security policy,  
resulting in unauthorized access to systems and unauthorized release of  
information. This may be inadvertent or intentional. Exploiting the flaw  
requires no special tools or knowledge. It can be determined if your system  
is vulnerable by attempting to exploit the vulnerability. It is not  
necessary to make an attempt if it can be determined that you are running  
one of the affected releases of software on a GSR and a copy of the  
configuration can be obtained or reverse-engineered.  
  
Software Versions and Fixes  
===========================  
This bug, documented as CSCdm36197, initially appears in 11.2(14)GS2, the  
first release of Cisco IOS software to support access lists on the GSR.  
  
The bug is present in versions of Cisco IOS software from 11.2(14)GS2 to  
11.2(15)GS3, inclusive. The earliest repaired version is 11.2(15)GS5.  
  
If you are running any vulnerable version of 11.2GS and wish to resolve this  
problem with the least possible change to your existing version of software,  
you should upgrade to 11.2(15)GS5 or later.  
  
This bug is not present in any release of 12.0S, so upgrading to 12.0S or  
later will also remove the vulnerability.  
  
Obtaining Software  
- ----------------  
Cisco is offering free software upgrades to repair this vulnerability for  
all affected customers. Customers with current support contracts may upgrade  
to any software version. Customers without support contracts that are  
running release 11.2(14)GS2 through 11.2(15)GS3 may upgrade to 11.2(15)GS5  
or any later 11.2GS release that has been repaired. As always, customers may  
install only the feature sets they have purchased.  
  
Customers with contracts should obtain upgraded software through their  
normal update channels. For most customers, this means that the upgrades  
should be obtained via the Software Center on Cisco's Worldwide Web site at  
http://www.cisco.com/.  
  
Customers without contracts should get their upgrades by contacting the  
Cisco Technical Assistance Center (TAC) as follows:  
  
* +1 800 553 2447 (toll-free from within North America)  
* +1 408 526 7209 (toll call from anywhere in the world)  
* e-mail: [email protected]  
  
Give the URL of this notice,  
http://www.cisco.com/warp/public/770/iosgsracl-pub.shtml, as evidence of  
your entitlement to a free upgrade. Free upgrades for non-contract customers  
must be requested through the TAC.  
  
Please do not contact <[email protected]> or <[email protected]> for  
upgrades.  
  
Workarounds  
===========  
If you need the functionality provided by the established keyword for an  
access-list command, there is no reasonable workaround.  
  
Customers may wish to consider modifying the policies on other network  
components, if possible, to limit exploitation of this vulnerability until  
such time as they have downloaded a fixed version of software to the  
affected GSR.  
  
Exploitation and Public Announcements  
=====================================  
Cisco knows of no public announcements or discussion of this vulnerability  
before the date of the public release of this notice. No incidents of  
malicious exploitation of this vulnerability have been reported to Cisco.  
  
This vulnerability was reported to Cisco by a customer.  
  
Status of this Notice  
=====================  
This is a final field notice. Although Cisco cannot guarantee the accuracy  
of all statements in this notice, all the facts have been checked to the  
best of our ability. Cisco does not anticipate issuing updated versions of  
this notice unless there is some material change in the facts. Should there  
be a significant change in the facts, Cisco may update this notice.  
  
Distribution  
- ----------  
This notice is posted at  
  
http://www.cisco.com/warp/public/770/iosgsracl-pub.shtml  
  
on Cisco's Worldwide Web site. In addition to Worldwide Web posting, the  
initial public version of this notice is being distributed via the  
following mailing lists and Usenet newsgroups:  
  
* [email protected]  
* [email protected]  
* [email protected] (includes CERT/CC)  
* [email protected]  
* comp.dcom.sys.cisco  
* [email protected]  
* Various internal Cisco mailing lists  
  
Future updates of this notice, if any, will be placed on Cisco's Worldwide  
Web server, but may or may not be actively announced on mailing lists or  
newsgroups. Users concerned about receiving new information regarding this  
advisory are encouraged to check occasionally for any updates.  
  
Revision History  
- --------------  
Revision 1.0, 1999-06-08 08:00AM US/Pacific Initial public release  
(-0700) candidate version  
  
Revision 1.1, 1999-06-08 11:00AM US/Pacific Fix boilerplate problem.  
(-0700)  
  
Revision 1.2, 1999-06-08 11:10AM US/Pacific More boilerplate.  
(-0700)  
  
Cisco Product Security Incident Assistance Procedures  
=====================================================  
Cisco's Worldwide Web site contains complete information for reporting  
security vulnerabilities in Cisco products, obtaining assistance with  
security incidents, and registering to receive security information directly  
>from Cisco at  
  
http://www.cisco.com/warp/public/791/sec_incident_response.shtml.  
  
This includes instructions for press inquiries regarding Cisco security  
notices.  
  
========================================================================  
This notice is copyright 1999 by Cisco Systems, Inc. This notice may be  
redistributed freely after the release date given at the top of the text,  
provided that redistributed copies are complete and unmodified, including  
all dates and version information.  
========================================================================  
-----BEGIN PGP SIGNATURE-----  
Version: Big Secret  
  
iQEVAwUBN1/OsnLSeEveylnrAQF0ewf7Bh7GBW4+XKVTE5a3pH5VvUZaryzsIP0k  
3bSUvbax2I2pVmM3uYpKKgWvXu7YV80+n8pnTTCy8w6l7+Kx4MWvo6ih6Tx41KsN  
uRhcXLRvGgthymczGnA8LekRJTNqzcEhzv9JELRjKvqfO1yFTKhFq5DqwdPMhJFv  
CtQhs2Qb7uvHeyGotUgia/+CI9pllhGqc1U2d7LHlNd6ZQQttXow35XNQonpfo/6  
J/dzWaaBajH7bKqwLn0zsb/HaQ4Eq/sZuF+TOVdIqkJ9oSRYKN5W6bEluU+ebIUg  
5Fl2y6dgyAjkNIw97icHa/tmBQfeZEyCs5pzLmne/la7+iGT0ZmxVw==  
=rblB  
-----END PGP SIGNATURE-----  
  
`