COMMAND

    IOS DFS Access List Leakage

SYSTEMS AFFECTED

    Cisco 7xxx

PROBLEM

    Following is based on Cisco Field Notice.  Errors in certain Cisco
    IOS software versions for  certain routers can cause  IP datagrams
    to be output to network  interfaces even though access lists  have
    been applied to filter those  datagrams.  This applies to  routers
    from the Cisco 7xxx family only, and only when those routers  have
    been configured for distributed  fast switching (DFS).   There are
    two independent vulnerabilities, which  have been given Cisco  bug
    IDs CSCdk35564 and CSCdk43862.  Each vulnerability affects only  a
    specialized subset of DFS configurations.  Affected configurations
    are not  believed to  be extremely  common, but  neither are  they
    extremely rare.  More details below.

    These vulnerabilities may permit users to send packets to parts of
    the customer's network for which they are not authorized. This may
    permit unauthorized access or  other attacks on customer  computer
    systems or data.   These vulnerabilities apply  only to the  Cisco
    7xxx router family.  The Cisco 7xxx family are large, rack-mounted
    backbone routers used primarily by Internet service providers  and
    in large enterprise networks.  Cisco 75xx routers are affected  by
    both vulnerabilities.   Cisco 72xx  routers are  affected only  by
    CSCdk35564, and not by CSCdk43862. Cisco 70xx routers are affected
    only if they have RSP cards installed.

    Although each  of the  vulnerabilities is  different and manifests
    itself under different conditions, both  involve DFS.  DFS is  not
    enabled by  default in  any Cisco  product, and  must be  manually
    configured.  If  the command ip  route-cache distributed does  not
    appear  in  your  router  configuration  file,  then  you  are not
    affected by either vulnerability.  Specifically, process switching
    (no  ip  route-cache),  ordinary  fast switching (ip route-cache),
    optimum  switching  (ip  route-cache  optimum),  and  CEF  or dCEF
    switching  (ip  route-cache  cef,  ip  cef distributed switch) are
    not  affected.   Flow  switching  is  considered  a  form  of fast
    switching, and is affected only in distributed mode.  Interactions
    between  flow  switching  and  access  lists  reduce,  but  do not
    eliminate, the impact of both vulnerabilities when flow  switching
    is enabled along with DFS.

    CSCdk35564 affected configurations
    ==================================
        CSCdk35564  is  a  defect  in  the 11.1CC and 11.1CT releases.
        Routers running Cisco IOS software versions other than  11.1CC
        and 11.1CT are not affected by CSCdk35564. Cisco 72xx and 75xx
        routers are  affected; Cisco  70xx routers  are not  supported
        with  the  affected  hardware/software  combinations.   To  be
        affected  by  CSCdk35564,  your  router  must be configured to
        switch  traffic  from  an  interface  with  DFS  enabled to an
        interface without DFS enabled. This most commonly happens when
        routers  contain  both  versatile  interface  processor  (VIP)
        interface  cards  and  non-VIP  interface  cards. Since DFS is
        supported only  on VIP  interfaces, traffic  from a  VIP to  a
        non-VIP interface may be going from DFS to non-DFS.  If DFS is
        enabled on all of the interfaces in your router, then you  are
        not  affected  by  CSCdk35564.  If  DFS  is not enabled on any
        interface in your router, then you are not affected. If you do
        not use the ip access-group command to filter outgoing traffic
        on any non-DFS interfaces, then you are not affected.

    CSCdk43862 affected configurations
    ==================================
        CSCdk43862 affects 11.1, 11.2, and 11.3 versions of Cisco  IOS
        software on  the Cisco  70xx and  75xx series;  see the  table
        later in this document for  details. The Cisco 72xx series  is
        not affected by CSCdk43862, regardless of the software version
        in use.  To be  vulnerable, your router must be  configured to
        switch traffic from an input  interface with DFS enabled to  a
        logical  subinterface  of  a  physical  output interface.  The
        output  interface  may  or  may  not  have  DFS  enabled;  the
        important question for the output interface is whether or  not
        subinterfaces are in use, and whether or not output traffic to
        subinterfaces   is   being   filtered.     Subinterfaces   are
        pseudo-interfaces associated  with subsets  of the  traffic on
        physical interfaces.   For instance,  a physical  Frame  Relay
        interface might have a subinterface associated with each Frame
        Relay PVC.   Subinterfaces do not  exist by default;  they are
        created as part of  user configuration.  Subinterface  numbers
        always  contain  periods,  as  in  "Serial  0/1.1".   If  your
        configuration  file  does  not   contain  any  such   "dotted"
        interface numbers, then you are not vulnerable.  If you do not
        use the  ip access-group  command to  apply output access-list
        filtering  to  subinterfaces,  then  you  are  not vulnerable.
        CSCdk43862 causes the access list applied to one  subinterface
        on a  physical interface  to be  incorrectly used  for traffic
        destined for  a different  subinterface. If  you use  the same
        access list to filter outbound traffic on all subinterfaces of
        any given physical interface, then you are not vulnerable.

    Incorrect access-list filtering may be applied to output  packets.
    Output  access  lists  are  frequently  used to implement security
    filtering, and the failure of  such access lists may permit  users
    to send packets  to parts of  the network for  which they are  not
    authorized.   This, in  turn, may  permit them  to bypass security
    restrictions, and to gain access  to data or resources from  which
    they should be excluded.  Neither of the defects described in this
    advisory "fails  reliably".   The same  access lists,  on the same
    interfaces, may work  correctly at some  times, and fail  at other
    times.   Because  of  this,  administrators  who test their access
    lists  may  be  misled  into  believing  that the access lists are
    providing  effective  protection,  when  in  fact  they  are  not.
    CSCdk43862 may result in legitimate traffic being filtered out, as
    well as in undesired traffic  being permitted to pass through  the
    router.  CSCdk35564  never  filters  legitimate  traffic;  it only
    permits undesired traffic.  An attacker who had detailed knowledge
    of  these  vulnerabilities  might  be  able  to  create conditions
    favorable to unauthorized access  being permitted.  However,  such
    activity would  probably be  unnecessary; even  without deliberate
    intervention by an attacker, such conditions would be expected  to
    occur frequently during the operation of most affected networks.

SOLUTION

    Neither vulnerability affects any Cisco product other than routers
    in the 70xx,  72xx or 75xx  series. Of 70xx  routers, only routers
    with the optional route-switch processor (RSP) card are  affected.
    Additional configuration conditions apply.  These  vulnerabilities
    can be worked around by disabling DFS on network interfaces  (with
    no ip route-cache distributed). Be  aware that the purpose of  DFS
    is to transfer computational load from the router's primary CPU to
    the CPUs on  the VIP cards,  and that disabling  DFS may therefore
    cause overload of the primary CPU.  Evaluate your traffic load and
    CPU usage before using this workaround.  If all interfaces in  the
    router are DFS-capable, but DFS  has for some reason been  enabled
    only on some of the interfaces, it may be possible to work  around
    CSCdk35564 by enabling DFS on all interfaces. This will not affect
    CSCdk43862.   CSCdk43862  can   sometimes  be  worked  around   by
    reconfiguring  to  use  the  same  output  access  list on all the
    subinterfaces  of   a  physical   interface.    Another   possible
    workaround is to redesign the access lists structure on the router
    to avoid the need for output access lists on affected interfaces.

    CSCdk43862  has  a  duplicate  report,  CSCdk43696.  The  bug   ID
    CSCdk43862 should be used to refer to this defect.  The  following
    table summarizes the affected Cisco IOS software versions for both
    CSCdk35564 and CSCdk43862, and indicates which versions have  been
    fixed.

    +----------+-------------+-----------+-------------+------------+-------------+
    |Cisco IOS |Initial CSCdk35564 Fixes |Initial CSCdk43862 Fixes  |Upgrade Path |
    |Major     |                         |                          |for 7xxx DFS |
    |Release   |Interim      |Regular    |Interim      |Regular     |Users        |
    |(only     |(minimal     |(dates are |(minimal     |(dates are  |             |
    |7xxx      |testing;     |subject to |testing;     |subject to  |             |
    |releases  |urgent       |change)    |urgent       |change)     |             |
    |are       |upgrades     |           |updates      |            |             |
    |listed)   |only)        |           |only)        |            |             |
    +==========+=============+===========+=============+============+=============+
    |11.0 and  |Unaffected   |Unaffected |Unaffected   |Unaffected  |Unaffected   |
    |earlier,  |             |           |             |            |             |
    |all       |             |           |             |            |             |
    |variants  |             |           |             |            |             |
    +----------+-------------+-----------+-------------+------------+-------------+
    |11.1      |Unaffected   |Unaffected |     -       |     -      |Go to 11.1CA |
    +----------+-------------+-----------+-------------+------------+-------------+
    |11.1CA    |Unaffected   |Unaffected |11.1(22)CA   |11.1(22)CA  |11.1(22)CA or|
    |(core ED) |             |           |             |            |later        |
    +----------+-------------+-----------+-------------+------------+-------------+
    |11.1CC    |11.1(21.2)CC |11.1(21)CC1|11.1(21.2)CC |11.1(21)CC1 |11.1(21)CC1, |
    |(CEF ED)  |             |11.1(22)CC |             |11.1(22)CC  |11.1(22)CC or|
    |          |             |           |             |            |later        |
    +----------+-------------+-----------+-------------+------------+-------------+
    |11.1CT    |11.1(21.2)CT |11.1(22)CT |11.1(21.2)CT |11.1(22)CT  |11.1(22)CT or|
    |(tag      |             |           |             |            |later        |
    |switch    |             |           |             |            |             |
    |ED)       |             |           |             |            |             |
    +----------+-------------+-----------+-------------+------------+-------------+
    |11.2      |Unaffected   |Unaffected |11.2(16.1)   |11.2(17),   |11.2(17) or  |
    |          |             |           |             |planned     |later;       |
    |          |             |           |             |Jan-1999    |11.2(16.1) or|
    |          |             |           |             |            |11.3 if      |
    |          |             |           |             |            |11.2(17)     |
    |          |             |           |             |            |schedule     |
    |          |             |           |             |            |unacceptable |
    +----------+-------------+-----------+-------------+------------+-------------+
    |11.2F     |Unaffected   |Unaffected |     -       |     -      |Go to 11.3   |
    +----------+-------------+-----------+-------------+------------+-------------+
    |11.2P     |Unaffected   |Unaffected |11.2(16.1)P  |11.2(17)P,  |11.2(17)P or |
    |(platform |             |           |             |planned     |later;       |
    |ED)       |             |           |             |Jan-1999    |11.2(16.1)P or
    |          |             |           |             |            |11.3 if      |
    |          |             |           |             |            |11.2(17)P    |
    |          |             |           |             |            |schedule     |
    |          |             |           |             |            |unacceptable.|
    +----------+-------------+-----------+-------------+------------+-------------+
    |11.2BC    |Unaffected   |Unaffected |11.2(16.1)BC |11.2(17)BC, |11.2(17)BC or|
    |(CIP ED)  |             |           |             |planned     |later;       |
    |          |             |           |             |Jan-1999    |11.2(16.1)BC |
    |          |             |           |             |            |if 11.2(17)BC|
    |          |             |           |             |            |schedule     |
    |          |             |           |             |            |unacceptable.|
    +----------+-------------+-----------+-------------+------------+-------------+
    |11.3      |Unaffected   |Unaffected |11.3(6.2)    |11.3(7),    |11.3(7) or   |
    |          |             |           |             |planned     |later        |
    |          |             |           |             |Nov-1998    |             |
    +----------+-------------+-----------+-------------+------------+-------------+
    |11.3T     |Unaffected   |Unaffected |11.3(6.2)T   |11.3(7)T,   |11.3(7)T or  |
    |          |             |           |             |planned     |later        |
    |          |             |           |             |Nov-1998    |             |
    +----------+-------------+-----------+-------------+------------+-------------+
    |11.3NA    |Unaffected   |Unaffected |11.3(6.2)NA  |11.3(7)NA,  |11.3(7)NA or |
    |(voice    |             |           |             |Planned     |later;       |
    |ED)       |             |           |             |Dec-1998    |11.3(6.2)NA if
    |          |             |           |             |            |11.3(7)NA    |
    |          |             |           |             |            |schedule     |
    |          |             |           |             |            |unacceptable.|
    +----------+-------------+-----------+-------------+------------+-------------+
    |11.3(2)XA |Unaffected   |Unaffected |     -       |     -      |11.3(7) or   |
    |          |             |           |             |            |later        |
    +----------+-------------+-----------+-------------+------------+-------------+
    |12.0(1)   |Unaffected   |Unaffected |Unaffected   |Unaffected  |Unaffected   |
    |and       |             |           |             |            |             |
    |later,    |             |           |             |            |             |
    |all       |             |           |             |            |             |
    |variants  |             |           |             |            |             |
    +----------+-------------+-----------+-------------+------------+-------------+