[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject: CERT Advisory for Cisco Access Lists
From: morgan () engr ! uky ! edu (Wes Morgan)
Date: 1992-12-23 8:21:52
[Download RAW message or body]
I thought I'd give this a better distribution.....
>From: cert-advisory-request@CERT.ORG (CERT Advisory)
>Newsgroups: comp.security.announce
>Subject: CERT Advisory - Cisco Access List Vulnerability
>Date: 10 Dec 92 19:44:59 GMT
>
>CA-92:20 CERT Advisory
> December 10, 1992
> Cisco Access List Vulnerability
>-----------------------------------------------------------------------------
>
>The CERT Coordination Center has received information concerning a
>vulnerability with Cisco routers when access lists are utilized. This
>vulnerability is present in Cisco software releases 8.2, 8.3, 9.0 and 9.1.
>
>Cisco Systems and CERT strongly recommend that sites using Cisco routers
>for firewalls take immediate action to eliminate this vulnerability from
>their networks.
>
>This vulnerability is fixed in Cisco software releases 8.3 (update 5.10),
>9.0 (update 2.5), 9.1 (update 1.1) and in all later releases. Customers
>who are using software release 8.2 and do not want to upgrade to a later
>release should contact Cisco's Technical Assistance Center (TAC) at
>800-553-2447 (Internet: tac@cisco.com) for more information.
>
>The following interim releases are available via anonymous FTP from
>ftp.cisco.com (131.108.1.111).
>
>Note: this FTP server will not allow filenames to be listed or matched
>with wildcards. You also cannot request the file by its full pathname.
>You must first cd to the desired directory (beta83_dir, beta90_dir, or
>beta91_dir) and then request the file desired (gs3-bfx.83-5.10, etc.).
>
> Release (Update) Filename Size Checksum
> 8.3 (5.10) /beta83_dir/gs3-bfx.83-5.10 1234696 02465 1206
> 9.0 (2.5) /beta90_dir/gs3-bfx.90-2.5 1705364 47092 1666
> 9.1 (1.1) /beta91_dir/gs3-k.91-1.1 2005548 59407 1959
>
>These releases are also available on Cisco's Customer Information On-Line
>(CIO) service for those customers having a maintenance contract.
>Other customers may obtain these releases through Cisco's Technical
>Assistance Center or by contacting their local Cisco distributor.
>
>-----------------------------------------------------------------------------
>
>I. Description
>
> A vulnerability in Cisco access lists allows some packets to be
> erroneously routed which one would expect to be filtered by the access
> list and vice-versa. This vulnerability can allow unauthorized traffic
> to pass through the gateway and can block authorized traffic.
>
>II. Problem
>
> If a Cisco router is configured to use extended IP access lists for
> traffic filtering on an MCI, SCI, cBus or cBusII interface, and the IP
> route cache is enabled, and the "established" keyword is used in the
> access list, then the access list can be improperly evaluated. This
> can permit packets which should be filtered and filter packets which
> should be permitted.
>
>III. Workaround
>
> This vulnerability can be avoided by either rewriting the extended
> access list to not use the "established" keyword, or by configuring
> the interface to not use the IP route cache. To disable the IP route
> cache, use the configuration command "no ip route-cache".
>
> Example for a serial interface:
> router>enable
>
> Password:
> router#configure terminal
>
> Enter configuration commands, one per line.
> Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z
> interface serial 0
> no ip route-cache
> ^Z
> router#write memory
>
>IV. Solution
>
> Obtain and install the appropriate interim release listed above.
> Sites which are not experienced at this installation process
> should contact the TAC center at 800-553-2447 for assistance.
>
>---------------------------------------------------------------------------
>The CERT Coordination Center wishes to thank Keith Reynolds of the
>Santa Cruz Operation for his assistance in identifying this problem
>and Cisco Systems for their assistance in providing technical information
>for this advisory.
>---------------------------------------------------------------------------
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in FIRST (Forum of Incident
>Response and Security Teams).
>
>Internet E-mail: cert@cert.org
>Telephone: 412-268-7090 (24-hour hotline)
> CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
> on call for emergencies during other hours.
>
>CERT Coordination Center
>Software Engineering Institute
>Carnegie Mellon University
>Pittsburgh, PA 15213-3890
>
>Past advisories, information about FIRST representatives, and other
>information related to computer security are available for anonymous FTP
>from cert.org (192.88.209.5).
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic