PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
(ISSO), SPECIAL SECURITY OFFICER (SSO), INFORMATION RESOURCE MANAGER
(IRM) AND AUTOMATED DATA PROCESSOR (ADP) COORDINATORS
SUBJECT: CISCO ROUTER PACKET HANDLING VULNERABILITY (AUTOMATED SYSTEM
SECURITY INCIDENT SUPPORT TEAM (ASSIST) BULLETIN 93-13).
1.  UNDER SOME CIRCUMSTANCES, CISCO ROUTERS WILL PASS IP SOURCE
ROUTED PACKETS WHICH SHOULD HAVE BEEN DENIED. ROUTERS WHICH DO NOT
USE THE "NO IP SOURCE-ROUTE" COMMAND ARE NOT AFFECTED.  THIS
VULNERABILITY APPLIES TO ALL MODELS OF CISCO ROUTERS.  THIS PROBLEM
OCCURS WITH THE FOLLOWING RELEASES OF SOFTWARE: 8.2, 8.3, 9.0, 9.1
AND 9.17.  ASSIST STRONGLY RECOMMENDS THAT SITES USING CISCO ROUTERS
TO PROVIDE FIREWALL PROTECTION TAKE IMMEDIATE ACTION TO ELIMINATE
THIS VULNERABILITY FROM THEIR NETWORKS.
2.  THIS SECURITY ISSUE IS FIXED IN CISCO SOFTWARE RELEASES 8.3(7.2),
9.0(5), 9.1(4) 9.17(2.1) AND IN ALL LATER RELEASES.  CUSTOMERS WHO
ARE USING SOFTWARE RELEASE 8.2 MUST UPGRADE TO A LATER RELEASE AND
SHOULD CONTACT CISCO'S TECHNICAL ASSISTANCE CENTER (TAC) AT
800-553-2447 (INTERNET: TAC@CISCO.COM) FOR MORE INFORMATION.  CISCO
RECOMMENDS THAT CUSTOMERS WHOSE ROUTERS MAY BE AFFECTED BY THIS
VULNERABILITY UPGRADE THEIR SOFTWARE TO THE FOLLOWING VERSIONS:
RELEASE (UPDATE)  
  8.3     (8)
  9.0     (5)
  9.1     (4)
  9.17    (3)
THESE RELEASES ARE AVAILABLE FROM CISCO'S CUSTOMER INFORMATION
ON-LINE (CIO) SERVICE FOR THOSE CUSTOMERS HAVING A MAINTENANCE
CONTRACT.  OTHER CUSTOMERS MAY OBTAIN THESE RELEASES THROUGH CISCO'S
TECHNICAL ASSISTANCE CENTER, OR BY CONTACTING THEIR LOCAL CISCO
DISTRIBUTOR.
2.  PROBLEM DESCRIPTION: A VULNERABILITY EXISTS IN CISCO ROUTERS SUCH
THAT A ROUTER WHICH IS CONFIGURED TO SUPPRESS SOURCE ROUTED PACKETS
WITH THE FOLLOWING COMMAND:
     NO IP SOURCE-ROUTE
MAY ALLOW TRAFFIC WHICH SHOULD BE SUPPRESSED TO PASS THROUGH THE
ROUTER/GATEWAY.  ASSIST RECOMMENDS THAT AFFECTED CUSTOMERS UPGRADE TO
A LATER VERSION OF THE AFFECTED SOFTWARE THAT HAS THE PROBLEM
CORRECTED ASAP.  CUSTOMERS WHO CANNOT UPGRADE IMMEDIATELY MAY BE ABLE
USE ACCESS LISTS TO PREVENT UNAUTHORIZED TRAFFIC. 
3.  POINT OF CONTACT:  ASSIST POINT OF CONTACT FOR THIS MATTER IS
PETE HAMMES, COMM (703) 696-1924/5/6 OR DSN 226-1924/5/6.  ASSIST CAN
BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER (800) SKY-PAGE (800-
759-7243), PIN NUMBER 2133937.  WHEN CALLING THE PAGER SERVICE,
FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK
NUMBER AFTER THE PROMPT.  THE ASSIST DUTY OFFICER WILL CALL YOU BACK
WITHIN 30 MINUTES.  IF FASTER SERVICE IS REQUIRED, PREFIX YOUR
TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL
BACK WITHIN 5 MINUTES.  ASSIST CAN ALSO BE REACHED VIA E-MAIL AT
"DOD-CERT(AT-SIGN)DDN-CONUS.DDN.MIL", BY DIALING INTO THE ASSIST
ELECTRNOIC BULLETIN BOARD AT (703) 696-8729, DSN 226, AND LEAVING A
MESSAGE FOR THE SYSOP, OR BY LEAVING A VOICE MAIL MESSAGE FOR THE
ASSIST TEAM AT (703) 696-1904 (SELECT '9').
BT