Cisco Gigabit Switch Router with Fast/Gigabit Ethernet Cards ACL Bypass/DoS Vulnerabilities
BID:1541
Info
Cisco Gigabit Switch Router with Fast/Gigabit Ethernet Cards ACL Bypass/DoS Vulnerabilities
| Bugtraq ID: | 1541 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 03 2000 12:00AM |
| Updated: | Aug 03 2000 12:00AM |
| Credit: | First made public in a Cisco advisory published on August 3, 2000. |
| Vulnerable: |
Cisco IOS 12.0.7 Cisco IOS 12.0.6 Cisco IOS 12.0.5 Cisco IOS 12.0.4 Cisco IOS 12.0.3 Cisco IOS 12.0.2 Cisco IOS 12.0.1 Cisco IOS 11.3.1 Cisco IOS 11.2.10 Cisco IOS 11.2.8 Cisco IOS 12.1 Cisco IOS 12.0 Cisco IOS 11.3 Cisco IOS 11.2P Cisco IOS 11.2 Cisco Gigabit Switch Router 12016 Cisco Gigabit Switch Router 12012 Cisco Gigabit Switch Router 12008 |
| Not Vulnerable: |
Cisco IOS 12.0(8.3)SC Cisco IOS 12.0(8.0.2)S Cisco IOS 12.0(7.4)S Cisco IOS 12.0(7)SC Cisco IOS 12.0(7)S1 Cisco IOS 11.2(19)GS0.2 |
Discussion
Cisco Gigabit Switch Router with Fast/Gigabit Ethernet Cards ACL Bypass/DoS Vulnerabilities
Cisco Gigabit Switch Routers (GSRs), when used with configured Fast Ethernet/Gigabit Ethernet cards may forward traffic bypassing ACLs. This could lead to exploitation of vulnerabilities that would normally have been protected by the access control lists. It may also be possible for an attacker to cause an interface on the target GSR to stop forwarding packets, resulting in a denial of service. The evasion of ACLs has to do with optimizations in handling of various packet types and occurs only on the affected interfaces. This vulnerability only exists when Fast Ethernet/Gigabit Ethernet network interface cards are used with Gigabit Switch Routers. All versions of IOS greater than 11.2 on GSRs are assumed to be vulnerable.
Cisco Gigabit Switch Routers (GSRs), when used with configured Fast Ethernet/Gigabit Ethernet cards may forward traffic bypassing ACLs. This could lead to exploitation of vulnerabilities that would normally have been protected by the access control lists. It may also be possible for an attacker to cause an interface on the target GSR to stop forwarding packets, resulting in a denial of service. The evasion of ACLs has to do with optimizations in handling of various packet types and occurs only on the affected interfaces. This vulnerability only exists when Fast Ethernet/Gigabit Ethernet network interface cards are used with Gigabit Switch Routers. All versions of IOS greater than 11.2 on GSRs are assumed to be vulnerable.
Exploit / POC
Cisco Gigabit Switch Router with Fast/Gigabit Ethernet Cards ACL Bypass/DoS Vulnerabilities
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Cisco Gigabit Switch Router with Fast/Gigabit Ethernet Cards ACL Bypass/DoS Vulnerabilities
Solution:
The following versions of IOS contain the fix for this vulnerability:
* 11.2(19)GS0.2
* 12.0(8.0.2)S
* 12.0(7)S1
* 12.0(7.4)S
* 12.0(8.3)SC
* 12.0(7)SC
Upgrade the firmware in your GSRs to any of the applicable versions listed above.
Solution:
The following versions of IOS contain the fix for this vulnerability:
* 11.2(19)GS0.2
* 12.0(8.0.2)S
* 12.0(7)S1
* 12.0(7.4)S
* 12.0(8.3)SC
* 12.0(7)SC
Upgrade the firmware in your GSRs to any of the applicable versions listed above.
References
Cisco Gigabit Switch Router with Fast/Gigabit Ethernet Cards ACL Bypass/DoS Vulnerabilities
References:
References:
- Cisco 12000 Series Product Information (Cisco Systems)
- Cisco Product Security Incident Response (Cisco Systems)