PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER {ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER {IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS SUBJECT: CISCO ACCESS LIST VULNERABILITY {AUTOMATED SYSTEM SECURITY INCIDENT SUPPORT TEAM {ASSIST} BULLETIN 92-70}. 1. ASSIST HAS RECEIVED INFORMATION CONCERNING A VULNERABILITY THAT EXISTS WHEN CISCO ROUTERS ARE UTILIZED WITH ACCESS LISTS. THIS VULNERABILITY IS PRESENT IN CISCO SOFTWARE RELEASES 8.2, 8.3, 9.0 AND 9.1. ASSIST AND CISCO SYSTEMS STRONGLY RECOMMEND THAT SITES USING CISCO ROUTERS FOR FIREWALLS TAKE IMMEDIATE ACTION TO ELIMINATE THIS VULNERABILITY FROM THEIR NETWORKS. 2. THIS VULNERABILITY IS FIXED IN CISCO SOFTWARE RELEASES 8.3 (UPDATE 5.10), 9.0 (UPDATE 2.5), 9.1 (UPDATE 1.1) AND IN ALL LATER RELEASES. CUSTOMERS WHO ARE USING SOFTWARE RELEASE 8.2 AND CANNOT UPGRADE TO A LATER RELEASE SHOULD CONTACT CISCO'S TECHNICAL ASSISTANCE CENTER (TAC) AT 800-553-2447 (INTERNET: TAC@CISCO.COM) FOR MORE INFORMATION. INSTRUCTIONS FOR OBTAINING THE UPDATED VERSIONS OF THE CISCO SOFTWARE ARE DESCRIBED IN PARAGRAPH 5 OF THIS MESSAGE. THE WORKAROUND DESCRIBED IN PARAGRAPH 4 OF THIS MESSAGE SHOULD BE INSTALLED IMMEDIATELY AND USED AS A TEMPORARY FIX UNTIL THE APPROPRIATE UPGRADE IS ACQUIRED AND INSTALLTED. 3. VULNERABILITY DESCRIPTION: A VULNERABILITY IN CISCO ACCESS LISTS ALLOWS SOME PACKETS THAT SHOULD BE FILTERED BY THE ACCESS LIST TO BE ROUTED. THIS VULNERABILITY CAN ALLOW UNAUTHORIZED TRAFFIC TO PASS THROUGH THE GATEWAY AND CAN BLOCK AUTHORIZED TRAFFIC. IF A CISCO ROUTER IS CONFIGURED TO USE EXTENDED IP ACCESS LISTS FOR TRAFFIC FILTERING ON AN MCI, SCI, CBUS OR CBUSII INTERFACE, AND THE IP ROUTE CACHE IS ENABLED, AND THE "ESTABLISHED" KEYWORD IS USED IN THE ACCESS LIST, THEN THE ACCESS LIST CAN BE IMPROPERLY EVALUATED. THIS CAN PERMIT ROUTING OF PACKETS THAT SHOULD BE FILTERED AND FILTERING OF PACKETS WHICH SHOULD BE ROUTED. 4. WORKAROUND: THIS WORKAROUND SHOULD ONLY BE USED AS AN INTERIM SOLUTION TO THIS PROBLEM UNTIL THE UPDATE FROM CISCO CAN BE INSTALLED. THIS VULNERABILITY CAN BE AVOIDED BY EITHER REWRITING THE EXTENDED ACCESS LIST TO NOT USE THE "ESTABLISHED" KEYWORD, OR BY CONFIGURING THE INTERFACE TO NOT USE THE IP ROUTE CACHE. TO DISABLE THE IP ROUTE CACHE, USE THE CONFIGURATION COMMAND "NO IP ROUTE-CACHE". EXAMPLE FOR A SERIAL INTERFACE: ROUTER>ENABLE PASSWORD: ROUTER#CONFIGURE TERMINAL ENTER CONFIGURATION COMMANDS, ONE PER LINE, EDIT WITH DELETE, CTRL/W, AND CTRL/U; END WITH CTRL/Z: INTERFACE SERIAL 0 NO IP ROUTE-CACHE ^Z ROUTER#WRITE MEMORY 5. THE FOLLOWING UPDATED RELEASES THAT HAVE THE VULNERABILITY ELIMINATED ARE AVAILABLE VIA ANONYMOUS FTP FROM FTP.CISCO.COM (131.108.1.111). NOTE: THIS FTP SERVER WILL NOT ALLOW FILENAMES TO BE LISTED OR MATCHED WITH WILDCARDS. YOU ALSO CANNOT REQUEST THE FILE BY ITS FULL PATHNAME. YOU MUST FIRST CD TO THE DESIRED DIRECTORY (BETA83_DIR, BETA90_DIR, OR BETA91_DIR) AND THEN REQUEST THE DESIRED FILE (GS3-BFX.83-5.10, ETC.). RELEASE (UPDATE) FILENAME SIZE CHECKSUM 8.3 (5.10) BETA83_DIR/GS3-BFX.83-5.10 1234696 02465 1206 9.0 (2.5) BETA90_DIR/GS3-BFX.90-2.5 1705364 47092 1666 9.1 (1.1) BETA91_DIR/GS3-K.91-1.1 2005548 59407 1959 THESE RELEASES ARE ALSO AVAILABLE ON CISCO'S CUSTOMER INFORMATION ON-LINE (CIO) SERVICE FOR THOSE CUSTOMERS HAVING A MAINTENANCE CONTRACT. OTHER CUSTOMERS MAY OBTAIN THESE RELEASES THROUGH CISCO'S TECHNICAL ASSISTANCE CENTER OR BY CONTACTING THEIR LOCAL CISCO DISTRIBUTOR. 6. POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS MIKE HIGGINS, COMM {703} 696-1904 OR DSN 226-1904. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE {800-759- 7243}, PIN NUMBER 2133937. WHEN CALLING THE PAGER SERVICE, FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK NUMBER AFTER THE PROMPT. THE ASSIST DUTY OFFICER WILL CALL YOU BACK WITHIN 30 MINUTES. IF FASTER SERVICE IS REQUIRED, PREFIX YOUR TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL BACK WITHIN 5 MINUTES. ASSIST CAN BE REACHED VIA E-MAIL AT "DOD-CERT{AT-SIGN}DDN- CONUS.DDN.MIL". BT