-
The IOS Firewall Feature set, also known as Cisco Secure Integrated Software, also known as Context Based Access Control (CBAC), and introduced in IOS version 11.2P, has a vulnerability that permits traffic normally expected to be denied by the dynamic access control lists.
This vulnerability is documented as Cisco Bug ID CSCdv48261.
No other Cisco product is vulnerable.
There is no workaround.
This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20011128-ios-cbac-dynacl
-
This section provides details on affected products.
Vulnerable Products
Only configurations implementing CBAC are affected. An affected configuration includes the lines "ip inspect" in your router's configuration. Here is one example:
ip inspect name rule1 udp ip inspect name rule1 tcp ! ! interface FastEthernet0/1 ip address 1.2.3.4 255.255.255.0 ip inspect rule1 in duplex auto speed auto !
The filename of the router image, available via show version command, includes an "o" in the section between the hyphens, if the software includes the IOS Firewall Featureset, as in the following example.
Router>show version Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IO3-M), Version 12.1(5)T, RELEASE SOFTWARE (fc1) (the rest is truncated)
In this example the image file name is c2600-io3-m. Since it has an "o" in its name, this image can support CBAC. For additional information regarding Cisco IOS image identifiers consult the document at http://www.cisco.com/warp/public/620/1.html#t16. The major affected Cisco IOS trains are:
-
11.2P
-
11.3T
-
12.0, 12.0T
-
12.1, 12.1T, 12.1E
-
12.2, 12.2T
In addition to these, several Early Deployment (also known as X releases) are affected. The complete list is given in the Software Versions and Fixes section of this advisory.
Affected hardware models are:
-
Cisco routers in the following series: 800, 820, 950, 1400, 1600,
1700, 2500, 2600, 3600, 4000 Gateway, 4224, 7100, 7200, 7400, 7500, SOHO 70,
ubr900, ICS7750.
-
The Catalyst 5000 and 6000 if they are running Cisco IOS software.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
11.2P
-
Cisco IOS Firewall is a packet inspection system. It is also a stateful system; it keeps information about connections that last beyond the lifetime of a single packet. CBAC is an IP-only feature. A router running CBAC recognizes Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and some higher-layer protocols, and examines packet data beyond the IP headers. If configured, CBAC maintains session information based on packets examined.
When a session is initiated from the protected network, CBAC creates a dynamic access list entry allowing return traffic for that session. Upon inspection of the return traffic through a dynamic access list, source and destination addresses and ports are checked, however IP protocol type is not checked. This could allow a packet of different protocol type into the protected network.
This vulnerability is documented as Cisco Bug ID CSCdv48261.
-
There is no workaround.
-
Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the "Rebuild," "Interim," and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the earliest fixed release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label). When selecting a release, keep in mind the following definitions:
-
Maintenance - Most heavily tested and highly
recommended release of any label in a given row of the table.
-
Rebuild - Constructed from the previous maintenance
or major release in the same train, it contains the fix for a specific defect.
Although it receives less testing, it contains only the minimal changes
necessary to effect the repair.
-
Interim - Built at regular intervals between
maintenance releases and receives less testing. Interims should be selected
only if there is no other suitable release that addresses the vulnerability.
Interim images should be upgraded to the next available maintenance release as
soon as possible. Interim releases are not available via manufacturing, and
usually they are not available for customer download from CCO without prior
arrangement with the Cisco TAC.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco TAC for assistance as shown in the following section.
More information on Cisco IOS release names and abbreviations is available at http://www.cisco.com/warp/public/620/1.html.
Train
Description of Image or Platform
Availability of Fixed Releases*
11.x-based Releases
Rebuild
Interim**
Maintenance
11.2P
Early Deployment: limited platforms
End of Support Upgrade recommended to 12.0
11.3T
End of Support Upgrade recommended to 12.0
12.0-based Releases
Rebuild
Interim**
Maintenance
12.0
General deployment release for all platforms
12.0(20.3) Available 2001-November-26
12.0(21) Available 2002-January-07
12.0T
Early Deployment: various platforms
Not scheduled Upgrade recommended to 12.1
12.0XA
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.1
12.0XB
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.1
12.0XC
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.1
12.0XD
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.1
12.0XE
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.1
12.0XG
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.1
12.0XI
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.1
12.0XK
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.1
12.0XM
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.1
12.0XQ
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.1
12.0XR
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.1
12.0XV
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.1
12.1-based Releases
Rebuild
Interim**
Maintenance
12.1
Limited deployment release for all platforms
12.1(11a)
12.1(11.1)
12.1(12) Available 2001-December-03
12.1E
Core/ISP support: GSR, RSP, c7200
12.1(9.6)E
12.1(10)E
12.1E
Catalyst 6000
12.1(8a)E5
12.1T
Early Deployment (ED): VPN, Distributed Director, various platforms
End of Engineering Upgrade recommended to 12.2
12.1XB
Early Deployment (ED) for selected platforms
Not scheduled Upgrade recommended to 12.1(5)YB1
12.1XC
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.2
12.1XF
Early Deployment (ED) for selected platforms
12.1(2)XF5 Available 2002-January
12.1XG
Early Deployment (ED) for selected platforms
12.1(3)XG6 Available 2002-January
12.1XH
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.2
12.1XI
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.2
12.1XJ
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.1(5)YB
12.1XK
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.2
12.1XL
Early Deployment (ED) for selected platforms
End of Engineering Upgrade recommended to 12.2
12.1XM
Early Deployment (ED) for selected platforms
12.1(5)XM6 Available 2001-December-03
12.1XP
Early Deployment (ED) for selected platforms
Not scheduled Migration recommended to 12.2T
12.1XT
Early Deployment (ED) for selected platforms
Not scheduled Migration recommended to 12.2T
12.1YB
Early Deployment (ED) for selected platforms
12.1(5)YB5 Available 2002-January
12.1YC
Early Deployment (ED) for selected platforms
12.1(5)YC2 Available 2002-January
12.1YE
Early Deployment (ED) for selected platforms
12.1(5)YE4
12.1YF
Early Deployment (ED) for selected platforms
12.1(5)YF3 Available 2001-November
12.2-based Releases
Rebuild
Interim**
Maintenance
12.2
Limited deployment release for various platforms
12.2(5.7)
12.2(6) Available 2001-November-12
12.2DD
Early Deployment (ED) for selected platforms
Not scheduled Upgrade recommended to 12.2(4)B
12.2T
Early deployment release for various platforms
12.2(5.7)T
12.2(8)T Available 2002-February-28
12.2XD
Early Deployment (ED) for selected platforms
12.2(2)XD3 Available 2002-January
12.2XE
Early Deployment (ED) for selected platforms
12.2(1)XE2 Available 2002-January
12.2XH
Early Deployment (ED) for selected platforms
12.2(2)XH2 Available 2002-January
12.2XI
Early Deployment (ED) for selected platforms
12.2(2)XI1 Available 2002-January
12.2XJ
Early Deployment (ED) for selected platforms
12.2(2)XJ1 Available 2002-January
12.2XK
Early Deployment (ED) for selected platforms
12.2(2)XK5 Available 2002-January
12.2XQ
Early Deployment (ED) for selected platforms
12.2(2)XQ2 Available 2002-January
Notes
* All dates are estimates and subject to change.
** Interim releases are subjected to less rigorous testing than regular maintenance releases, and may have serious bugs.
-
Maintenance - Most heavily tested and highly
recommended release of any label in a given row of the table.
-
This vulnerability was discovered by a customer. The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.3
2006-July-13
Fixed software table for 12.2 based releases.
Revision 1.2
2002-January-02
In the software information table on release 12.2T, added the release date as February 28, 2002. Also changed the next release version to 12.2(8)T. Deleted the rebuild version because there is no rebuild.
Revision 1.1
2001-November-29
In the table with fixed releases, in the row for 12.2T, added a T to the maintenance release 12.2(7)T.
Revision 1.0
2001-November-28
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.