|
|
|
|
| |
The IOS Firewall Feature set, also known as Cisco Secure Integrated Software, or Context Based Access Control, was introduced in IOS version 11.2P.
A vulnerability in the IOS Firewall Feature set permits traffic that should be denied by the dynamic access control lists.
This vulnerability is documented as Cisco Bug ID CSCdv48261. No other Cisco product is vulnerable.
There is no workaround. |
| |
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
|
| |
Affected Products:
Only configurations implementing CBAC are affected. An affected configuration includes the lines "ip inspect" in your router's configuration. Here is one example:
ip inspect name rule1 udp
ip inspect name rule1 tcp
!
!
interface FastEthernet0/1
ip address 1.2.3.4 255.255.255.0
ip inspect rule1 in
duplex auto
speed auto
!
The filename of the router image, available via show version command, includes an "o" in the section between the hyphens, if the software includes the IOS Firewall Featureset, as in the following example.
Router>show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IO3-M),
Version 12.1(5)T, RELEASE SOFTWARE (fc1)
(the rest is truncated)
In this example the image file name is c2600-io3-m. Since it has an "o" in its name, this image can support CBAC. For additional information regarding Cisco IOS image identifiers consult the document at http://www.cisco.com/warp/public/620/5.shtml#identifiers. The major affected Cisco IOS trains are:
* 11.2P
* 11.3T
* 12.0, 12.0T
* 12.1, 12.1T, 12.1E
* 12.2, 12.2T
In addition to these, several Early Deployment (also known as X releases) are affected. The complete list is given in the Software Versions and Fixes section of this advisory.
Affected hardware models are:
* Cisco routers in the following series: 800, 820, 950, 1400, 1600, 1700, 2500, 2600, 3600, 4000 Gateway, 4224, 7100, 7200, 7400, 7500, SOHO 70, ubr900, ICS7750.
* The Catalyst 5000 and 6000 if they are running Cisco IOS software.
No other Cisco products are affected.
Details:
Cisco IOS Firewall is a packet inspection system. It is also a stateful system; it keeps information about connections that last beyond the lifetime of a single packet. CBAC is an IP-only feature. A router running CBAC recognizes Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and some higher-layer protocols, and examines packet data beyond the IP headers. If configured, CBAC maintains session information based on packets examined.
When a session is initiated from the protected network, CBAC creates a dynamic access list entry allowing return traffic for that session. Upon inspection of the return traffic through a dynamic access list, source and destination addresses and ports are checked, however IP protocol type is not checked. This could allow a packet of different protocol type into the protected network.
This vulnerability is documented as Cisco Bug ID CSCdv48261.
Impact:
By allowing packets of different type into the protected network, the customer is exposed to a much bigger threat. This vulnerability can be exploited for reconnaissance purposes, but only for a single port and host that initiated a session in the first place. Depending on the exact session parameters, it may be possible to send data to processes that were supposed to be accessible only from within the trusted network. In the worst case, it is possible to open an interactive session to a host on the protected network. In that case, there must be a process running on the host that is listening to the port for which a hole is opened by CBAC.
Software Versions and Fixes:
Please use the provided table to verify whether your product is vulnerable, and a fix is available for it:
http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml#Software
Obtaining Fixed Software:
Cisco is offering free software upgrades to eliminate this vulnerability for all affected customers.
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's Worldwide Web site at http://www.cisco.com.
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge.
Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.
Workarounds:
There is no workaround.
|
|
|
|
|
|
|
|
|
|
