[1]navbar Strip_TechTips Cisco Security Advisory Mon Jul 31 16:24:28 1995 _________________________________________________________________ The following describes an error in Cisco's IOS software 10.3 release when the 'tacacs-ds' or 'tacacs' keyword is used in extended IP access control lists. This bug can cause an extended IP access control list to be misparsed, possibly allowing unauthorized packets to circumvent a filtering router. This vulnerability is present in the following IOS software versions: 10.3(3.4) through 10.3(4.2) If you are running any of these IOS versions on a product that uses IP extended access lists, and you are using the 'tacacs-ds' or 'tacacs' keyword in these lists, then Cisco strongly recommends that you review your access lists to insure that they have been parsed correctly. You can determine what version of IOS you are running by issuing the following command: show version If your access list has been parsed incorrectly, the recommended action is to upgrade to a more recent version of IOS or perform the workaround described below. The bug is fixed by in the following official software releases: 10.3(4.3) or later (For reference, the Cisco update identifier for this fix is "CSCdi36962".) Customers may obtain software upgrades without going through the Cisco's Technical Assistance Center via Cisco's Customer Information On-Line service, instructions for downloading are available at the end of this message. You may also contact your Cisco distributor or contact Cisco's Technical Assistance Center (TAC) for more information. TAC can be reached by phone at (800) 553-2447, by E-Mail to tac@cisco.com or via the World-Wide-Web at http://www.cisco.com. In Europe you can contact TAC by phone at 32-2-778-42-42 or via E-Mail to euro-tac@cisco.com. _________________________________________________________________ A) Description A bug in certain versions of IOS can cause extended IP access lists to be parsed incorrectly. Under some circumstances, this may allow packets to bypass IP packet filtering. This may permit unintended IP traffic to pass through a filtering router. IP extended access lists between versions 10.3(1) through 10.3(3.3) used the keyword 'tacacs-ds'. This keyword could be saved as part of the router configuration either in non-volatile memory on the router or on an external TFTP server. Configuration files written by these versions which are read by versions 10.3(3.4) through 10.3(4.2) will not have the 'tacacs-ds' keyword parsed correctly. The result will be that the entire line in the access list will be ignored. An error message will be generated when this occurs. Loss of such a line from the access list may create a vulnerability if the access list is used as part of a packet filter. To determine if you are vulnerable, examine your current configuration and compare it to your intended configuration. If the access lists in your current configuration and your intended configuration do not use the keyword 'tacacs-ds', you are not vulnerable. You do not need to do anything. If your current configuration contains the keyword 'tacacs-ds', you should NOT upgrade that router to any version of IOS between 10.3(3.4) and 10.3(4.2). You are not currently vulnerable. If your intended configuration contains the keywords 'tacacs-ds', 'tacacs', or filters on TCP or UDP port 49, and your current configuration does NOT contain this line of the access list, you are currently vulnerable. You should perform the workaround described below. B) Workaround The following actions will remove the vulnerability: + Delete the access list and re-enter it based upon your intended configuration. Do not enter the 'tacacs-ds' keyword. Use the keyword 'tacacs' instead. C) Solution Obtain and install the appropriate release of IOS software as described above. For assistance contact Cisco's TAC. _________________________________________________________________ Software upgrades may be obtained via any of the following mechanisms: A) World Wide Web (WWW): * For registered CCO users please open a URL to: [2]http://www.cisco.com/public/sw-center/ and select the the version of software to download. * For non-registered users open a URL to: [3]http://www.cisco.com/public/library/spc_req.shtml When prompted for a code, please enter: certjuly31 for a list of available files to download. B) FTP: ftp cco.cisco.com and at the initial (username) prompt, enter: certjuly31 At the password prompt, enter your e-mail address. Then: get README.certjuly31 This file contains a list of files available that close this vulnerability. Please examine this list to determine which files you need and then download them. C) Character-based "CCO Classic": For access, the following connection options are offered: + telnet cco.cisco.com + Dial-up modem o In Europe +33 1 64 46 40 82 o In the US (408) 526 8070 # vt100, N81, up to 14.4Kbps Enter either as a guest or registered user and navigate to the topic: Software Updates Special Files At the prompt for a code, please enter: certjuly31 A list of files will be displayed for you to select and download. ________________________________________________________ Posted: Aug 3 16:48:28 1995 [4]Copyright 1996 © Cisco Systems Inc. References 1. http://www.cisco.com/pcgi-bin/imagemap/navbar 2. http://www.cisco.com/public/sw-center/ 3. http://www.cisco.com/public/library/spc_req.shtml 4. http://www.cisco.com/public/copyright.html