Cisco Security Advisory-
A defect in Cisco IOS? Software running on all models of Gigabit Switch Routers (GSRs) configured with Gigabit Ethernet or Fast Ethernet cards may cause packets to be forwarded without correctly evaluating configured access control lists (ACLs). In addition to circumventing the access control lists, it is possible to stop an interface from forwarding any packets, thus causing a denial of service.
Only the particular combination of equipment described in this notice is vulnerable. No other combinations of routers and cards are vulnerable.
Network topologies that include a large flat/bridged network may be more susceptible to this vulnerability than some other topologies.
There is no workaround. Customers are urged to upgrade to unaffected versions of software as soon as possible.
This vulnerability is present in all Cisco IOS Software releases for the GSR starting with release 11.2(15)GS1A. Versions of Cisco IOS Software containing the repair for this defect are listed in the section Software Versions and Fixes below.
This defect is documented as Cisco bug ID CSCdp35794.
The complete advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20000803-grs-acl-bypass-dos.
-
This section provides details on affected products.
Vulnerable Products
This vulnerability affects only Gigabit Ethernet and Fast Ethernet cards that are installed in Gigabit Switched Routers.
Products Confirmed Not Vulnerable
Gigabit Switched Routers with other cards are not susceptible to this vulnerability. Similary, Gigabit Ethernet and Fast Ethernet cards that are installed in other router models are not susceptible to this vulnerability. Specifically, the RSP/7200 series routers are not affected.
No other Cisco products are currently known to be affected by these vulnerabilities.
-
When access lists are used on a GSR with Gigabit Ethernet or Fast Ethernet cards installed and configured, line card failures may occur that require a reset of the affected card and internal queuing data structures may be corrupted. The problem is due to differences in the optimized handling of certain types of packets from shared media that directly affects the evaluation of access control lists on Gigabit Ethernet and Fast Ethernet interfaces. The problem is more likely to occur on a large shared or bridged Ethernet segment, and is more evident with the use of compiled access control lists (also known as Turbo ACLs) than with other access control lists. The problem cannot occur unless access control lists are configured on the affected interfaces.
This defect has been assigned Cisco bug ID CSCdp35794. If you are a registered CCO user and you have logged in, you can view bug details.
-
There is no known configuration workaround. Customers are urged to upgrade affected platforms to a fixed software version as soon as possible.
Affected line cards that have stopped forwarding packets can be reset by using the command microcode reload [optional-slot-number] while in global configuration mode.
-
This vulnerability affects Gigabit Ethernet and Fast Ethernet cards on the following Gigabit Switch Routers:
-
12008 Gigabit Switch Router
-
12012 Gigabit Switch Router
-
12016 Gigabit Switch Router
This vulnerability affects all releases of Cisco GSR IOS Software starting with 11.2(15)GS1A. This vulnerability has been corrected in the following IOS releases:
-
11.2(19)GS0.2
-
12.0(8.0.2)S
-
12.0(7)S1
-
12.0(7.4)S
-
12.0(8.3)SC
-
12.0(7)SC
All subsequent releases of Cisco IOS Software for the GSR incorporate this fix.
To determine if your system is affected by this problem, execute the show version command while in global configuration mode. If the output does not contain the words "GS Software" in the banner and "FastEthernet" or "GigabitEthernet" in the list of installed cards, then the system is not affected by the vulnerability described in this advisory.
If show version displays "GS Software" and also reports that "FastEthernet" or "GigabitEthernet" cards are installed in the system, then the current IOS release number should be compared to those listed above to determine if an upgrade is necessary.
-
12008 Gigabit Switch Router
-
The Cisco PSIRT has received no reports of malicious exploitation of this vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.