Date: Thu, 10 Jun 1999 14:59:10 -0000
From: psirt@cisco.com
To: BUGTRAQ@netspace.org
Subject: Cisco security notice: Cisco IOS Software established Access List              Keyword Error

-----BEGIN PGP SIGNED MESSAGE-----

Cisco IOS Software established Access List Keyword Error
Revision 1.2

For public release on Thursday, 1999 June 10, at 08:00AM US/Pacific (UTC-0700)
===========================================================================

Summary
=======
Cisco 12000 series Gigabit Switch Routers running certain versions of Cisco
IOS software forward unauthorized traffic due to an error encountered while
processing the established keyword in an access-list statement. The
resulting vulnerability could be exploited to circumvent a site's security
policy.

Only Cisco Gigabit Switch Routers (currently the 12008 and 12012 GSRs)
running Cisco IOS software release 11.2(14)GS2 through 11.2(15)GS3 are
vulnerable.

This error is corrected in release 11.2(15)GS5 and later versions.

This error is not present in any version of Cisco IOS software release 12.0S
and later. Non-GSR releases are not affected.

The bug ID associated with this error is CSCdm36197.

Who Is Affected
===============
A GSR running release 11.2(14)GS2 through 11.2(15)GS3 is vulnerable if the
keyword established is used in an access-list statement.

A GSR running release 11.2(15)GS5 and later or any version of release 12.0S
is not affected.

What is Affected
================
The Cisco 12000 series Gigabit Switch Router (GSR) is the only Cisco product
that is affected by this vulnerability. Currently the 12008 GSR and the
12012 GSR are the only two models in the series. No other Cisco product is
affected by this vulnerability.

The Cisco 12000 series Gigabit Switch Router is a large rack-mount device,
approximately twenty to sixty inches (0.5 to 1.5meters) tall and twenty
inches (0.5 meters) deep, that requires specialized power connections to
supply forty to sixty amps of electricity. GSRs are typically used by major
Internet Service Providers at their most important interconnection points.
If you do not have a Cisco 12000 series GSR, then you are not affected by
the vulnerability described in this notice.

Description
===========
When an affected Cisco Gigabit Switch Router (GSR) executes the following
command on an interface:

     access-list 101 permit tcp any any established

the established keyword is ignored. This will cause the GSR to forward all
TCP traffic for the relevant interface, contrary to the restriction intended
in the access-list statement.

Impact
======
This vulnerability can be exploited to circumvent your security policy,
resulting in unauthorized access to systems and unauthorized release of
information. This may be inadvertent or intentional. Exploiting the flaw
requires no special tools or knowledge. It can be determined if your system
is vulnerable by attempting to exploit the vulnerability. It is not
necessary to make an attempt if it can be determined that you are running
one of the affected releases of software on a GSR and a copy of the
configuration can be obtained or reverse-engineered.

Software Versions and Fixes
===========================
This bug, documented as CSCdm36197, initially appears in 11.2(14)GS2, the
first release of Cisco IOS software to support access lists on the GSR.

The bug is present in versions of Cisco IOS software from 11.2(14)GS2 to
11.2(15)GS3, inclusive. The earliest repaired version is 11.2(15)GS5.

If you are running any vulnerable version of 11.2GS and wish to resolve this
problem with the least possible change to your existing version of software,
you should upgrade to 11.2(15)GS5 or later.

This bug is not present in any release of 12.0S, so upgrading to 12.0S or
later will also remove the vulnerability.

Obtaining Software
- ----------------
Cisco is offering free software upgrades to repair this vulnerability for
all affected customers. Customers with current support contracts may upgrade
to any software version. Customers without support contracts that are
running release 11.2(14)GS2 through 11.2(15)GS3 may upgrade to 11.2(15)GS5
or any later 11.2GS release that has been repaired. As always, customers may
install only the feature sets they have purchased.

Customers with contracts should obtain upgraded software through their
normal update channels. For most customers, this means that the upgrades
should be obtained via the Software Center on Cisco's Worldwide Web site at
http://www.cisco.com/.

Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC) as follows:

   * +1 800 553 2447 (toll-free from within North America)
   * +1 408 526 7209 (toll call from anywhere in the world)
   * e-mail: tac@cisco.com

Give the URL of this notice,
http://www.cisco.com/warp/public/770/iosgsracl-pub.shtml, as evidence of
your entitlement to a free upgrade. Free upgrades for non-contract customers
must be requested through the TAC.

Please do not contact <psirt@cisco.com> or <security-alert@cisco.com> for
upgrades.

Workarounds
===========
If you need the functionality provided by the established keyword for an
access-list command, there is no reasonable workaround.

Customers may wish to consider modifying the policies on other network
components, if possible, to limit exploitation of this vulnerability until
such time as they have downloaded a fixed version of software to the
affected GSR.

Exploitation and Public Announcements
=====================================
Cisco knows of no public announcements or discussion of this vulnerability
before the date of the public release of this notice. No incidents of
malicious exploitation of this vulnerability have been reported to Cisco.

This vulnerability was reported to Cisco by a customer.

Status of this Notice
=====================
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice.

Distribution
- ----------
This notice is posted at

    http://www.cisco.com/warp/public/770/iosgsracl-pub.shtml

on Cisco's Worldwide Web site. In addition to Worldwide Web posting, the
initial public version of this notice is being distributed via the
following mailing lists and Usenet newsgroups:

   * cust-security-announce@cisco.com
   * bugtraq@netspace.org
   * first-teams@first.org (includes CERT/CC)
   * cisco@spot.colorado.edu
   * comp.dcom.sys.cisco
   * firewalls@greatcircle.com
   * Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about receiving new information regarding this
advisory are encouraged to check occasionally for any updates.

Revision History
- --------------
 Revision 1.0, 1999-06-08 08:00AM US/Pacific      Initial public release
 (-0700)                                          candidate version

 Revision 1.1, 1999-06-08 11:00AM US/Pacific      Fix boilerplate problem.
 (-0700)

 Revision 1.2, 1999-06-08 11:10AM US/Pacific      More boilerplate.
 (-0700)

Cisco Product Security Incident Assistance Procedures
=====================================================
Cisco's Worldwide Web site contains complete information for reporting
security vulnerabilities in Cisco products, obtaining assistance with
security incidents, and registering to receive security information directly
>from Cisco at

    http://www.cisco.com/warp/public/791/sec_incident_response.shtml.

This includes instructions for press inquiries regarding Cisco security
notices.

========================================================================
This notice is copyright 1999 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
all dates and version information.
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: Big Secret

iQEVAwUBN1/OsnLSeEveylnrAQF0ewf7Bh7GBW4+XKVTE5a3pH5VvUZaryzsIP0k
3bSUvbax2I2pVmM3uYpKKgWvXu7YV80+n8pnTTCy8w6l7+Kx4MWvo6ih6Tx41KsN
uRhcXLRvGgthymczGnA8LekRJTNqzcEhzv9JELRjKvqfO1yFTKhFq5DqwdPMhJFv
CtQhs2Qb7uvHeyGotUgia/+CI9pllhGqc1U2d7LHlNd6ZQQttXow35XNQonpfo/6
J/dzWaaBajH7bKqwLn0zsb/HaQ4Eq/sZuF+TOVdIqkJ9oSRYKN5W6bEluU+ebIUg
5Fl2y6dgyAjkNIw97icHa/tmBQfeZEyCs5pzLmne/la7+iGT0ZmxVw==
=rblB
-----END PGP SIGNATURE-----