COMMAND
IOS DFS Access List Leakage
SYSTEMS AFFECTED
Cisco 7xxx
PROBLEM
Following is based on Cisco Field Notice. Errors in certain Cisco
IOS software versions for certain routers can cause IP datagrams
to be output to network interfaces even though access lists have
been applied to filter those datagrams. This applies to routers
from the Cisco 7xxx family only, and only when those routers have
been configured for distributed fast switching (DFS). There are
two independent vulnerabilities, which have been given Cisco bug
IDs CSCdk35564 and CSCdk43862. Each vulnerability affects only a
specialized subset of DFS configurations. Affected configurations
are not believed to be extremely common, but neither are they
extremely rare. More details below.
These vulnerabilities may permit users to send packets to parts of
the customer's network for which they are not authorized. This may
permit unauthorized access or other attacks on customer computer
systems or data. These vulnerabilities apply only to the Cisco
7xxx router family. The Cisco 7xxx family are large, rack-mounted
backbone routers used primarily by Internet service providers and
in large enterprise networks. Cisco 75xx routers are affected by
both vulnerabilities. Cisco 72xx routers are affected only by
CSCdk35564, and not by CSCdk43862. Cisco 70xx routers are affected
only if they have RSP cards installed.
Although each of the vulnerabilities is different and manifests
itself under different conditions, both involve DFS. DFS is not
enabled by default in any Cisco product, and must be manually
configured. If the command ip route-cache distributed does not
appear in your router configuration file, then you are not
affected by either vulnerability. Specifically, process switching
(no ip route-cache), ordinary fast switching (ip route-cache),
optimum switching (ip route-cache optimum), and CEF or dCEF
switching (ip route-cache cef, ip cef distributed switch) are
not affected. Flow switching is considered a form of fast
switching, and is affected only in distributed mode. Interactions
between flow switching and access lists reduce, but do not
eliminate, the impact of both vulnerabilities when flow switching
is enabled along with DFS.
CSCdk35564 affected configurations
==================================
CSCdk35564 is a defect in the 11.1CC and 11.1CT releases.
Routers running Cisco IOS software versions other than 11.1CC
and 11.1CT are not affected by CSCdk35564. Cisco 72xx and 75xx
routers are affected; Cisco 70xx routers are not supported
with the affected hardware/software combinations. To be
affected by CSCdk35564, your router must be configured to
switch traffic from an interface with DFS enabled to an
interface without DFS enabled. This most commonly happens when
routers contain both versatile interface processor (VIP)
interface cards and non-VIP interface cards. Since DFS is
supported only on VIP interfaces, traffic from a VIP to a
non-VIP interface may be going from DFS to non-DFS. If DFS is
enabled on all of the interfaces in your router, then you are
not affected by CSCdk35564. If DFS is not enabled on any
interface in your router, then you are not affected. If you do
not use the ip access-group command to filter outgoing traffic
on any non-DFS interfaces, then you are not affected.
CSCdk43862 affected configurations
==================================
CSCdk43862 affects 11.1, 11.2, and 11.3 versions of Cisco IOS
software on the Cisco 70xx and 75xx series; see the table
later in this document for details. The Cisco 72xx series is
not affected by CSCdk43862, regardless of the software version
in use. To be vulnerable, your router must be configured to
switch traffic from an input interface with DFS enabled to a
logical subinterface of a physical output interface. The
output interface may or may not have DFS enabled; the
important question for the output interface is whether or not
subinterfaces are in use, and whether or not output traffic to
subinterfaces is being filtered. Subinterfaces are
pseudo-interfaces associated with subsets of the traffic on
physical interfaces. For instance, a physical Frame Relay
interface might have a subinterface associated with each Frame
Relay PVC. Subinterfaces do not exist by default; they are
created as part of user configuration. Subinterface numbers
always contain periods, as in "Serial 0/1.1". If your
configuration file does not contain any such "dotted"
interface numbers, then you are not vulnerable. If you do not
use the ip access-group command to apply output access-list
filtering to subinterfaces, then you are not vulnerable.
CSCdk43862 causes the access list applied to one subinterface
on a physical interface to be incorrectly used for traffic
destined for a different subinterface. If you use the same
access list to filter outbound traffic on all subinterfaces of
any given physical interface, then you are not vulnerable.
Incorrect access-list filtering may be applied to output packets.
Output access lists are frequently used to implement security
filtering, and the failure of such access lists may permit users
to send packets to parts of the network for which they are not
authorized. This, in turn, may permit them to bypass security
restrictions, and to gain access to data or resources from which
they should be excluded. Neither of the defects described in this
advisory "fails reliably". The same access lists, on the same
interfaces, may work correctly at some times, and fail at other
times. Because of this, administrators who test their access
lists may be misled into believing that the access lists are
providing effective protection, when in fact they are not.
CSCdk43862 may result in legitimate traffic being filtered out, as
well as in undesired traffic being permitted to pass through the
router. CSCdk35564 never filters legitimate traffic; it only
permits undesired traffic. An attacker who had detailed knowledge
of these vulnerabilities might be able to create conditions
favorable to unauthorized access being permitted. However, such
activity would probably be unnecessary; even without deliberate
intervention by an attacker, such conditions would be expected to
occur frequently during the operation of most affected networks.
SOLUTION
Neither vulnerability affects any Cisco product other than routers
in the 70xx, 72xx or 75xx series. Of 70xx routers, only routers
with the optional route-switch processor (RSP) card are affected.
Additional configuration conditions apply. These vulnerabilities
can be worked around by disabling DFS on network interfaces (with
no ip route-cache distributed). Be aware that the purpose of DFS
is to transfer computational load from the router's primary CPU to
the CPUs on the VIP cards, and that disabling DFS may therefore
cause overload of the primary CPU. Evaluate your traffic load and
CPU usage before using this workaround. If all interfaces in the
router are DFS-capable, but DFS has for some reason been enabled
only on some of the interfaces, it may be possible to work around
CSCdk35564 by enabling DFS on all interfaces. This will not affect
CSCdk43862. CSCdk43862 can sometimes be worked around by
reconfiguring to use the same output access list on all the
subinterfaces of a physical interface. Another possible
workaround is to redesign the access lists structure on the router
to avoid the need for output access lists on affected interfaces.
CSCdk43862 has a duplicate report, CSCdk43696. The bug ID
CSCdk43862 should be used to refer to this defect. The following
table summarizes the affected Cisco IOS software versions for both
CSCdk35564 and CSCdk43862, and indicates which versions have been
fixed.
+----------+-------------+-----------+-------------+------------+-------------+
|Cisco IOS |Initial CSCdk35564 Fixes |Initial CSCdk43862 Fixes |Upgrade Path |
|Major | | |for 7xxx DFS |
|Release |Interim |Regular |Interim |Regular |Users |
|(only |(minimal |(dates are |(minimal |(dates are | |
|7xxx |testing; |subject to |testing; |subject to | |
|releases |urgent |change) |urgent |change) | |
|are |upgrades | |updates | | |
|listed) |only) | |only) | | |
+==========+=============+===========+=============+============+=============+
|11.0 and |Unaffected |Unaffected |Unaffected |Unaffected |Unaffected |
|earlier, | | | | | |
|all | | | | | |
|variants | | | | | |
+----------+-------------+-----------+-------------+------------+-------------+
|11.1 |Unaffected |Unaffected | - | - |Go to 11.1CA |
+----------+-------------+-----------+-------------+------------+-------------+
|11.1CA |Unaffected |Unaffected |11.1(22)CA |11.1(22)CA |11.1(22)CA or|
|(core ED) | | | | |later |
+----------+-------------+-----------+-------------+------------+-------------+
|11.1CC |11.1(21.2)CC |11.1(21)CC1|11.1(21.2)CC |11.1(21)CC1 |11.1(21)CC1, |
|(CEF ED) | |11.1(22)CC | |11.1(22)CC |11.1(22)CC or|
| | | | | |later |
+----------+-------------+-----------+-------------+------------+-------------+
|11.1CT |11.1(21.2)CT |11.1(22)CT |11.1(21.2)CT |11.1(22)CT |11.1(22)CT or|
|(tag | | | | |later |
|switch | | | | | |
|ED) | | | | | |
+----------+-------------+-----------+-------------+------------+-------------+
|11.2 |Unaffected |Unaffected |11.2(16.1) |11.2(17), |11.2(17) or |
| | | | |planned |later; |
| | | | |Jan-1999 |11.2(16.1) or|
| | | | | |11.3 if |
| | | | | |11.2(17) |
| | | | | |schedule |
| | | | | |unacceptable |
+----------+-------------+-----------+-------------+------------+-------------+
|11.2F |Unaffected |Unaffected | - | - |Go to 11.3 |
+----------+-------------+-----------+-------------+------------+-------------+
|11.2P |Unaffected |Unaffected |11.2(16.1)P |11.2(17)P, |11.2(17)P or |
|(platform | | | |planned |later; |
|ED) | | | |Jan-1999 |11.2(16.1)P or
| | | | | |11.3 if |
| | | | | |11.2(17)P |
| | | | | |schedule |
| | | | | |unacceptable.|
+----------+-------------+-----------+-------------+------------+-------------+
|11.2BC |Unaffected |Unaffected |11.2(16.1)BC |11.2(17)BC, |11.2(17)BC or|
|(CIP ED) | | | |planned |later; |
| | | | |Jan-1999 |11.2(16.1)BC |
| | | | | |if 11.2(17)BC|
| | | | | |schedule |
| | | | | |unacceptable.|
+----------+-------------+-----------+-------------+------------+-------------+
|11.3 |Unaffected |Unaffected |11.3(6.2) |11.3(7), |11.3(7) or |
| | | | |planned |later |
| | | | |Nov-1998 | |
+----------+-------------+-----------+-------------+------------+-------------+
|11.3T |Unaffected |Unaffected |11.3(6.2)T |11.3(7)T, |11.3(7)T or |
| | | | |planned |later |
| | | | |Nov-1998 | |
+----------+-------------+-----------+-------------+------------+-------------+
|11.3NA |Unaffected |Unaffected |11.3(6.2)NA |11.3(7)NA, |11.3(7)NA or |
|(voice | | | |Planned |later; |
|ED) | | | |Dec-1998 |11.3(6.2)NA if
| | | | | |11.3(7)NA |
| | | | | |schedule |
| | | | | |unacceptable.|
+----------+-------------+-----------+-------------+------------+-------------+
|11.3(2)XA |Unaffected |Unaffected | - | - |11.3(7) or |
| | | | | |later |
+----------+-------------+-----------+-------------+------------+-------------+
|12.0(1) |Unaffected |Unaffected |Unaffected |Unaffected |Unaffected |
|and | | | | | |
|later, | | | | | |
|all | | | | | |
|variants | | | | | |
+----------+-------------+-----------+-------------+------------+-------------+