-----BEGIN PGP SIGNED MESSAGE-----
Cisco Security Advisory
Possible Access Control Bypass and Denial of Service in Gigabit Switch Routers
Using Gigabit Ethernet or Fast Ethernet Cards
Revision 1.0
For Public Release 2000 August 03 at 11:00 AM US/Eastern (UTC+0400)
_________________________________________________________________
Summary
A defect in Cisco IOS(tm) Software running on all models of Gigabit
Switch Routers (GSRs) configured with Gigabit Ethernet or Fast
Ethernet cards may cause packets to be forwarded without correctly
evaluating configured access control lists (ACLs). In addition to
circumventing the access control lists, it is possible to stop an
interface from forwarding any packets, thus causing a denial of
service.
Only the particular combination of equipment described in this notice
is vulnerable. No other combinations of routers and cards are
vulnerable.
Network topologies that include a large flat/bridged network may be
more susceptible to this vulnerability than some other topologies.
There is no workaround. Customers are urged to upgrade to unaffected
versions of software as soon as possible.
This vulnerability is present in all Cisco IOS Software releases for
the GSR starting with release 11.2(15)GS1A. Versions of Cisco IOS
Software containing the repair for this defect are listed in the
section Software Versions and Fixes below.
This defect is documented as Cisco bug ID CSCdp35794.
The complete advisory is available at
http://www.cisco.com/warp/public/707/gsraclbypassdos-pub.shtml.
Affected Products
This vulnerability affects only Gigabit Ethernet and Fast Ethernet
cards that are installed in Gigabit Switched Routers.
Gigabit Switched Routers with other cards are not susceptible to this
vulnerability. Similary, Gigabit Ethernet and Fast Ethernet cards that
are installed in other router models are not susceptible to this
vulnerability. Specifically, the RSP/7200 series routers are not
affected.
Details
When access lists are used on a GSR with Gigabit Ethernet or Fast
Ethernet cards installed and configured, line card failures may occur
that require a reset of the affected card and internal queuing data
structures may be corrupted. The problem is due to differences in the
optimized handling of certain types of packets from shared media that
directly affects the evaluation of access control lists on Gigabit
Ethernet and Fast Ethernet interfaces. The problem is more likely to
occur on a large shared or bridged Ethernet segment, and is more
evident with the use of compiled access control lists (also known as
Turbo ACLs) than with other access control lists. The problem cannot
occur unless access control lists are configured on the affected
interfaces.
This defect has been assigned Cisco bug ID CSCdp35794. If you are a
registered CCO user and you have logged in, you can view bug details.
Impact
Under certain conditions it is possible to circumvent compiled access
control lists with a moderate probability of success and circumvent
extended access control lists with a low probability of success. A
possible side effect is that the attacked interface may stop
forwarding packets without logging an error, requiring the card to be
reset via software.
Due to the nature of this vulnerability, it is difficult to predict
the exact results of any such exploitation.
Network topologies that include a large flat/bridged network (several
hundred hosts or more) may be more susceptible to this vulnerability
than some other topologies. However, by sending a large number of
specific packets, it may be possible to trigger this vulnerability on
any topology.
Software Versions and Fixes
This vulnerability affects Gigabit Ethernet and Fast Ethernet cards on
the following Gigabit Switch Routers:
* 12008 Gigabit Switch Router
* 12012 Gigabit Switch Router
* 12016 Gigabit Switch Router
This vulnerability affects all releases of Cisco GSR IOS Software
starting with 11.2(15)GS1A. This vulnerability has been corrected in
the following IOS releases:
* 11.2(19)GS0.2
* 12.0(8.0.2)S
* 12.0(7)S1
* 12.0(7.4)S
* 12.0(8.3)SC
* 12.0(7)SC
All subsequent releases of Cisco IOS Software for the GSR incorporate
this fix.
To determine if your system is affected by this problem, execute the
show version command while in global configuration mode. If the output
does not contain the words "GS Software" in the banner and
"FastEthernet" or "GigabitEthernet" in the list of installed cards,
then the system is not affected by the vulnerability described in this
advisory.
If show version displays "GS Software" and also reports that
"FastEthernet" or "GigabitEthernet" cards are installed in the system,
then the current IOS release number should be compared to those listed
above to determine if an upgrade is necessary.
Obtaining Fixed Software
Cisco is offering free software upgrades to remedy this vulnerability
for all affected customers. Customers may install only the feature
sets they have purchased.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained via the Software Center on Cisco's Worldwide Web
site at http://www.cisco.com/.
Customers without contracts should get their upgrades by contacting
the Cisco Technical Assistance Center (TAC) as follows:
* 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* E-mail: tac@cisco.com
Additional contact information for the TAC is on-line at
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml, including
instructions and e-mail addresses for use by non-English speakers.
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested
through the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades. You will obtain
faster results by directly contacting the TAC.
Workarounds
There is no known configuration workaround. Customers are urged to
upgrade affected platforms to a fixed software version as soon as
possible.
Affected line cards that have stopped forwarding packets can be reset
by using the command microcode reload [optional-slot-number] while in
global configuration mode.
Exploitation and Public Announcements
The Cisco PSIRT has received no reports of malicious exploitation of
this vulnerability.
Status of This Notice: FINAL
This is an final notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all the facts have been checked to
the best of our ability. Cisco does not anticipate issuing updated
versions of this notice unless there is some material change in the
facts. Should there be a significant change in the facts, Cisco may
update this notice.
Distribution
This notice is posted at
http://www.cisco.com/warp/public/707/gsraclbypassdos-pub.shtml. In
addition to Worldwide Web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* first-teams@first.org (includes CERT/CC)
* bugtraq@securityfocus.com
* firewalls@lists.gnac.net
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* comp.dcom.sys.cisco
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's
Worldwide Web server, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the URL given above for any updates.
Revision History
Revision 1.0 2000-08-03 Initial public release.
Cisco Product Security Incident Assistance Process
The web page at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
describes how to report security vulnerabilities in Cisco products,
obtain assistance with security incidents, and register to receive
product security information from Cisco Systems, Inc., including
instructions for press inquiries regarding Cisco Security Advisories
and notices. This advisory is Cisco's official public statement
regarding this vulnerability.
_________________________________________________________________
This notice is copyright 2000 by Cisco Systems, Inc. This notice may
be redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified
and include all date and version information.
_________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQEVAwUBOYmLIGiN3BRdFxkbAQFwMQf+KbqZjEyWuPFx9WagNARfE09+eLx3jGKa
pb03YDM5Le2roBGNPD6rwIAGyy/nbg4WafHTKwLwmoopMeKhub72Gk/CvzkfLzZ+
LhUcYtXTyZ/11Z7p1QhPvqoP96Q6KqDYtge+A9OOZGooH7IY9Z3kPBIeDKQfekin
JbSMF+vxMWw8BY9gQOa3hbBjPyNTMNpEeVJipZdu/YS5G5ztjXcY1lcGQxUDXnY+
x+XQlZqsgsBx7/EIqSBZmykW3nKk1QMHNPgIs2q+2x4SB5bBrTM2Vx3Nlh1zDzun
lL3Btgs07nHYssmo8MtKgarvgqhF+Ee7GqAP0h69Nu7iyGGNgTALZw==
=OQyD
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.2
mQENAzhQ8qUCYQEIALshjezuQIzQT3zZrKrQit2HTNarH8iba6HLdN2niIDGW9LN
ShhH0kPdD57EeOAkO2ccNvgY4HvJESgykBS6z86HULeiSVMv89TfQsKOv34cczYm
BeYtcfbgkm4MM/37UjFxUGAIoOxVX/bzya/tegiYPAaTsOcaonxqaOds/kLIR32S
/+3vcV6tu9QiiLwdKAGSN+KkrREP3qTFzKxmus1DKFz5o03yDMtYGplRQ62iae21
I8NbQtVXvARN5bdG5+4KaqI9hsT/tz8dh8OgapdaD6ht0qkY8J2DGIa1xnai4Vbe
hoz7Vozf65LErlbRWBVAn6XBD3qtaI3cFF0XGRsABRG0R0Npc2NvIFN5c3RlbXMg
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
aXNjby5jb20+iQEVAwUQOFDypWiN3BRdFxkbAQEVgAf/Qins/ms1PNhD4ucJyGCY
V60wz6hQX5FXCKxewSxPOMOxkbQeiNxqENYldTwH6RZ2eVXYJX0PKZjhUmpQCwg7
aYQUv8GeROxQYlJx/j2FKmQcjIWLHQZImb7FxTFt0rgcCJI+ChGu8U3IqOmyeBmE
44qXxU/IGhJaXj8jIkSUxeKFQtI9JSxsfNiqX8itjeJlYTF8Y1MnTiuhikM3y7JM
sQFzrKSzhzfPcc3RqDAtbwYtvmb+6/9IGkHks2hox5ltJZ5v2c4lbReEpmLweDSf
enojuPPoPug8zRS/xa1uHzSZ3XKQwLWfjwZwGMzTTHOAiMWo6wlbhNnR4LlN/upv
uIkARgQQEQIABgUCOFDzRAAKCRBwkpqcbcMYIVfZAJ4z5xm+IJuj+byK+gNsNY7X
FK4THgCfS0n95c/Gxvu9tOvRFH+uwQh2dgGJAHUDBRA4UPNs3nAfbKMmz4kBAejY
AvoD771l0JZWwf5XmoCWLL0ChzbdFJqTsnd2zG4jGr1J91dkES4YDir4itqyWVRA
VFzalYCYouNPhOJZKLXUphQnAQ7x74cDznEw+MYT9eavbYcSeKkBZNEdjE3vf67x
4fSJAJUDBRA4UP5XwAV6rQ+eJbkBAX2CA/9GPlvk9EWTS54M6uTJCtC/6Bcx7phz
InAUYEX7gjlBmNF7MdIy1UdUsNL2rTdR26peB6VwzT6uXRG+RbhpGVvfHdEmJ2ec
brKaUmFisrVWB7Ho9NOo72xTru7GeJxGHb0xRcsDMCIYfyOCMvbr6lxMMAcD9zx3
nMx4VDJ7RfSStrRQQ2lzY28gU3lzdGVtcyBQcm9kdWN0IFNlY3VyaXR5IEluY2lk
ZW50IFJlc3BvbnNlIFRlYW0gPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT6JARUD
BRA4UPL6aI3cFF0XGRsBAdYKCACIhd2yDPXITE2pQzukNo+jxrMeSnqvl4DUoP6f
Ai64KLGYAqo+ZWuyFd1JLT5CtsaWuLXEBvt/9SevI/qbN18c9eSBko3wNcO49C+T
s0uttahHplxMgArqTK8y1u35C7QUz0T9xRLPaKvXYARw3/wFdaPQYehrVWBThbxk
KxJuamT3OT5uB7NgtkHK1nHpxuATj39EnvZSUTWe45ZBVulduGMG7grYRCQJ1jrG
2Ei0FO/adFKZU6DxSygwjWCM9Fdh/dncs00G7tXW8fpfIRmdsVZuYIQ7HPkoiUJF
87Hw+mdkZHiTAhPMuNO9AamZsIF65QcD4vera/zOXwU+MUcaiQBGBBARAgAGBQI4
UPNYAAoJEHCSmpxtwxghi9gAn12vk1AazXrc9GVCdXC5oFpi1TmlAJ9BsHkWwGUr
mLSAE3OE70LjxHHhDokAdQMFEDhQ84DecB9soybPiQEB2NoC/jSF5glFC5jfYjAp
VMiZHgGZDA49lcf/VZDz7ZeJAkOtZZHzlycVAlCukLl0sXfIhgygmWj6WQPPIF2z
COEjVgR625CRbYhrqC0H9ieWYJ3fu7GILoEb200GbSgUZifvq4kAlQMFEDhQ/mvA
BXqtD54luQEBWzAD/31F6aic5ZV/u6HY/ChORildURolK8LfNTwwsmwN32ZcJOUb
gSsU5cafE5XGaWvgVrPVKwAH9DFcviElBK+n7fhw+SRS5x+Ar8tZMKEgP5I9yIZX
DHwNZmFdpmk95xoK4TvCd3iyj23HcaoAGroRtuVrv5UtBG9P+FDMxScgO/cR
=sJ3p
-----END PGP PUBLIC KEY BLOCK-----
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:15 EDT