[nsp] Possible bug in access-class ACLs on Cat3750?
Lars Erik Gullerud
lerik at nolink.net
Thu Nov 20 08:23:49 EST 2003
I am wondering if I have stumbled across a security-bug on the Cisco
Catalyst 3750 switches regarding ACLs in IOS version 12.1(14)EA1a. The
problem seems to be fixed in 12.1(19)EA1, however I can't seem to find
anything about this in either the release notes for (19) or any open
bug-id's for this with a simple search. We don't have a support contract
for these low-end boxes so I haven't opened a TAC case for this.
It seems that the ACL is not being checked at all when used in an
"access-class" statement under "line vty X" - meaning that unless other
mechanisms are used to prevent access, anyone can reach the switch via
telnet/ssh(if enabled).
The problem seems to be fixed in 12.1(19)EA1, however I can't seem to
find anything about this issue in either the release notes for (19) or
any open bug-id's for this with a simple search.
To demonstrate what I am talking about, here is an section of a sample
lab-config from a Catalyst 3750, EMI image. SDM prefer is set to "sdm
prefer routing", IOS image is c3750-i5k2-mz.121-14.EA1a.bin (EMI image
with SSH/3DES support):
---
interface Vlan80
ip address 192.168.1.5 255.255.255.0
!
access-list 15 permit 192.168.0.0 0.0.3.255
access-list 15 permit 172.16.2.0 0.0.0.255
!
line vty 0 4
access-class 15 in
transport input telnet ssh
----
This should, in theory, only allow connections from 192.168.0.0/22 and
172.16.2.0/24. In this case there is no explicit deny at the end of the
ACL (only the implicit "deny any"), but adding an explicit "access-list
15 deny any" at the end produces the same behaviour so that is not an
issue. Using extended ACLs instead of standard ACLs also produce the
same result.
When attempting to telnet to the device from e.g. a 10.* source (i.e.
one NOT allowed in the access-list), the following happens:
jnpr-m40> telnet 192.168.1.5 source 10.80.254.2
Trying 192.168.1.5...
Connected to 192.168.1.5
Escape character is '^]'.
<snip>
Yes, this is working perfectly. You can access the switch both via
telnet and ssh from ANY source-IP. When attempting the same under
12.1(19)EA1, the behaviour is as you would expect (image now is
c3750-i5k2-mz.121-19.EA1.bin):
jnpr-m40> telnet 192.168.1.5 source 10.80.254.2
Trying 192.168.1.5...
telnet: connect to address 192.168.1.5: Connection refused
jnpr-m40> telnet 192.168.1.5 source 192.168.2.1
Trying 192.168.1.5
Connected to 192.168.1.5
Escape character is '^]'.
<snip>
Has anyone else come across this, or is it just something weird one
needs to do to make ACLs work correctly on 3750s? I have ten Cat3750
units with 12.1(14)EA1a that are in the process of being deployed at
various remote offices that it seems I must now get upgraded to
12.1(19)EA1 pretty quickly, since these will be used outside of a
firewall-environment...
/leg
More information about the cisco-nsp
mailing list