-----BEGIN PGP SIGNED MESSAGE-----

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    
          Automated Systems Security Incident Support Team
                                                _____
             ___   ___  _____   ___  _____     |     /
      /\    /   \ /   \   |    /   \   |       |    / Integritas
     /  \   \___  \___    |    \___    |       |   <      et
    /____\      \     \   |        \   |       |    \ Celeritas
   /      \ \___/ \___/ __|__  \___/   |       |_____\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  
    
                       Bulletin  95-22
 
       Release date: 6 June, 1995, 11:15 AM EDT (GMT -4)

SUBJECT: Vulnerability in Cisco's IOS software.

SUMMARY: Some versions of Cisco's IOS software contain a 
vulnerability when the 'established' keyword is used in extended 
IP access control lists.  The vulnerability could allow a user to
bypass IP packet filtering.  The Cisco update identifier for this 
fix is CSCdi34061.

BACKGROUND: The following IOS versions are affected:
 
        10.3(1) through 10.3(2)
        10.2(1) through 10.2(5)
        10.0(1) through 10.0(9)
 
and all versions of Cisco software previous to 10.0.  You can 
determine what version of IOS you are running by issuing the 
following command:
   show version 

To determine if your IOS configuration is vulnerable issue the
following command to display configuration parameters: 
   write term

If you see an access list line using a list number in the range of 
100 through 199 that permits or denies TCP traffic and contains the 
word 'established' near the end of the line, you may be vulnerable.  
An example line might look like:
   (In IOS 10.3)
   access-list 100 permit tcp any any established

   (In IOS 10.2 or earlier)
   access-list 100 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0
   255.255.255.255 established
                                                
   If you do not meet this test, then you are not vulnerable and no
   further action is required.

The vulnerability is fixed in the following official Cisco software 
releases:

        10.0(10) or later
        10.2(6)  or later
        10.3(3)  or later

IMPACT: This bug can, under very specific circumstances and only 
with certain IP host implementations, allow unauthorized packets to
circumvent a filtering router.

RECOMMENDED SOLUTIONS: Determine whether or not Cisco systems at
your site are vulnerable and take action to correct the problem on
all systems that are vulnerable. 

Customers may obtain software upgrades without going through the
Cisco's Technical Assistance Center via Cisco's Customer Information 
On-Line service.  Instructions for downloading information from Cisco
are included later in this message.  You may also contact your Cisco 
distributor or contact Cisco's Technical Assistance Center (TAC) for 
more information.  TAC can be reached by phone at 800-553-2447, by 
E-Mail to tac@cisco.com or via the World-Wide-Web at 
http://www.cisco.com.  In Europe you can contact TAC by phone at 
32-2-778-42-42 or via E-Mail to euro-tac@cisco.com.

Temporary Workaround
   The following actions will remove the vulnerability:
   Rewrite the access list parameters so the 'established' keyword 
   is not necessary.  This does not simply mean that you may remove
   the 'established' keyword, but rather that you will need to
   re-design your access lists to provide similar functionality 
   without using the established mechanism.
      or
   Disable the interfaces to which the access list is applied
   using the 'shutdown' interface subcommand:
   (example)
   router(config)#interface ethernet 0
   router(config-if)#shutdown

Permanent Fix
   Obtain and install the appropriate updated release of IOS 
   software that has the problem fixed (see BACKGROUND section
   above).  For assistance contact Cisco's TAC.

Technical Comments
   This problem is caused by an obscure but common design flaw that
   may exist in other vendor's router/firewall packet filtering
   implementations.  Owners of non-Cisco hardware who use IP packet
   filtering features similar to Cisco's "extended access lists" as 
   part of a firewall system may wish to contact their vendor to 
   confirm that this vulnerability does not exist in their system.
   This vulnerability can only be exploited with certain IP host
   implementations (the Cisco Security Bulletin on this topic did 
   not have information on which implementations are susceptible).  

Obtaining Cisco software upgrades.
A. World Wide Web (WWW):
   Registered CIO users can open a URL to:
   http://cio.cisco.com/kobayashi/Library_root.shtml
   and select the the version of software to download.

   Non-registered users can open a URL to:
   http://cio.cisco.com/public/library/spc_req.shtml
   When prompted for a code, enter:
   certjun2
   for a list of available files to download.
     
B. FTP:
   ftp cio.cisco.com and at the initial (username) prompt, enter:
   certjun2
   At the password prompt, enter your e-mail address, then:
   get README.certjun2
   This file contains a list of files available that close this
   vulnerability. 

C. Character-based "CIO Classic":
   For access, the following connection options are offered:
   telnet cio.cisco.com 
   o Dial-up modem
      + In Europe +33 1 64 46 40 82
      + In the US (408) 526 8070
      + vt100, N81, up to 14.4Kbps
   Enter either as a guest or registered user and navigate to the
   topic:
      Software Updates 
      Special Files
   At the prompt for a code, please enter:
   certjun2
   A list of files will be displayed for you to select and 
   download.

ASSIST would like to thank the Cisco Corporation for information
contained in this bulletin. 

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

ASSIST is an element of the Defense Information Systems Agency 
(DISA), Center for Information Systems Security (CISS), that 
provides service to the entire DoD community. Constituents 
of the DoD with questions about ASSIST or computer security 
security issues, can contact ASSIST using one of the methods
listed below.  Non-DoD organizations/institutions, contact
the Forum of Incident Response and Security Teams (FIRST)
(FIRST) representative.  To obtain a list of FIRST member
organizations and their constituencies send an email to
docserver@first.org with an empty "subject" line and a message body
containing the line "send first-contacts".

ASSIST Information Resources: To be included in the distribution
list for the ASSIST bulletins, send your Milnet (Internet) e-mail
address to assist-request@assist.mil.  Back issues of ASSIST 
bulletins, and other security related information, are available
from the ASSIST BBS at 703-607-4710, DSN 327-4710 and through 
anonymous FTP from assist.mil (IP address 199.211.123.11).  Note: 
assist.mil will only accept anonymous FTP connections from Milnet 
addresses that are registered with the NIC or DNS.  If your system 
is not registered, you must provide your MILNET IP address to 
ASSIST before access can be provided.
 
ASSIST Contact Information: 
PHONE: 800-357-4231 (or 703-756-7974 DSN 289), duty hours are 06:00
to 22:30 EDT (GMT -4) Monday through Friday.  During off duty hours, 
weekends and holidays, ASSIST can be reached via pager at 800-791-
4857.  The page will be answered within 30 minutes, however if a 
quicker response is required, prefix the phone number with "999".
ELECTRONIC MAIL: Send to assist@assist.mil. 
ASSIST BBS: Leave a message for the "sysop". 

ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital 
signature mechanism for bulletins.   PGP 2.6.2 incorporates the 
RSAREF(tm) Cryptographic Toolkit under license from RSA Data 
Security, Inc.  A copy of that license is available via anonymous 
FTP from net-dist.mit.edu (IP 18.72.0.3) in the file 
/pub/PGP/rsalicen.txt.  In accordance with the terms of that 
license,  PGP 2.6.2 may be used for non-commercial purposes only.
Instructions for downloading the PGP 2.6.2 software can also be 
obtained from net-dist.mit.edu in the pub/PGP/README file.  PGP 
2.6.2 and RSAREF may be subject to the export control laws of the 
United States of America as implemented by the United States 
Department of State Office of Defense Trade Controls.  The PGP 
signature information will be attached to the end of ASSIST 
bulletins.
  
Reference herein to any specific commercial product, process, or
service by trade name, trademark manufacturer, or otherwise, does
not constitute or imply its endorsement, recommendation, or
favoring by ASSIST.  The views and opinions of authors expressed
herein shall not be used for advertising or product endorsement
purposes. 

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6

mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM
W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw
FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR
tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQL1xx7tH6sbnW
3Io9AQEBYwP9FvIJbnKjtMLUj8ghd6hophSx8WZnfQsOmZX/BbX8vKz1a5BkBn4q
ANvW+uKGdUlE8LLMEm1PD59Cihcb3OoWDOU8zIOIErvry4eqa+LzEXV8nnBdes+A
a1MCMGSz+K3OaP78lQ7JCGoY9TXTWIelfAdBVBG4VQcSQRn8tjRdG2e0KEFTU0lT
VCBUZWFtIDxhc3Npc3RAYXNzaXN0Lmltcy5kaXNhLm1pbD6JAJUCBRAuLnHoh0Y9
0jC+b6kBAU0TA/4yXSL7K6tcfVm9ACnP4crCoutFM2w10e7YKxD850ajhWrh6rI9
O+sjU5WObqiPJ7sZHdEw/KARzPSijH/5h8HlyYa6ClksWxYuymzCsUYYJctdjcGr
uakfXgYQ1TkkyUfNrN5G90NuRK/vTRe7bkmyGNYjN9Njac1Q18WVF59Chg==
=d5rP
- -----END PGP PUBLIC KEY BLOCK-----





-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBL9Rx59H6sbnW3Io9AQGUEwP/RW6LmpGcOLBIBjZMEN3mpA6+7Ouypjl+
eYO1kTFpRB8iPM14+Aoyq8+7jeoKUDNmFL2fVcbUBgoJgIu5PKeOtBh6IHzYOpQA
w0pb0ZoobjGcdDGLfqMKjnkZB+mSJHN3f11MLXWthtwA2luy3tnQ8Xg2GwMdHXIF
aSi+fELpPjc=
=irIN
-----END PGP SIGNATURE-----