COMMAND
Cisco IOS(R) Software Input Access List Leakage with NAT
SYSTEMS AFFECTED
Cisco (see below for details)
PROBLEM
Following is based on CISCO Advisory. A group of related software
bugs create an undesired interaction between network address
translation (NAT) and input access list processing in certain
Cisco routers running 12.0-based versions of Cisco IOS software
(including 12.0, 12.0S, and 12.0T, in all versions up to, but not
including, 12.0(4), 12.0(4)S, and 12.0(4)T, as well as other 12.0
releases). Non-12.0 releases are not affected. This may cause
input access list filters to "leak" packets in certain NAT
configurations, creating a security exposure. Configurations
without NAT are not affected. The failure does not happen at all
times, and is less likely under laboratory conditions than in
installed networks. This may cause administrators to believe that
filtering is working when it is not.
If you are using input access lists in conjunction with NAT on an
interface of a Cisco IOS router running any 12.0-based version of
Cisco IOS software earlier than the fixed versions listed in the
table under "Software Versions and Fixes", then you are affected
by this vulnerability. Non-12.0 releases are not affected. Both
input access lists and NAT must be in use on the same router
interface in order for this vulnerability to manifest itself. If
your configuration file does not contain the command "ip
access-group <acl> in" on the same interface with "ip nat inside"
or "ip nat outside", then you are not affected. The majority of
routers are not configured to use NAT, and are therefore not
affected. NAT routers are most commonly found at Internet
boundaries. Affected devices are Cisco devices that run Cisco
IOS software, and are affected by this vulnerability, include the
following:
* Cisco routers in the 17xx family are affected.
* Cisco routers in the 26xx family are affected.
* Cisco routers in the 36xx family are affected.
* Cisco routers in the AS58xx family (not the AS52xx or
AS53xx) are affected.
* Cisco routers in the 72xx family (including the ubr72xx) are
affected.
* Cisco routers in the RSP70xx family (not non-RSP 70xx
routers) are affected.
* Cisco routers in the 75xx family are affected.
* The Catalyst 5xxx Route-Switch Module (RSM) is affected. The
Catalyst 5xxx switch supervisors themselves are not affected
only the optional RSM module is involved.
If you are unsure whether your device is running classic Cisco IOS
software, log into the device and issue the command "show version"
Cisco IOS software will identify itself simply as "IOS" or
"Internetwork Operating System Software". Other Cisco devices
either will not have the "show version" command, or will give
different output.
The severity of the impact may vary, depending on the device type,
configuration and environment, from sporadic leakage of occasional
packets to consistent leakage of significant classes of packets.
The environment dependencies are extremely complex and difficult
to characterize, but essentially all vulnerable configurations are
affected to some degree. Customers with affected devices are
advised to assume that the vulnerability affects their networks
whenever input access lists are used together with NAT in
12.0-based software. This vulnerability may allow users to
circumvent network security filters, and therefore security
policies. This may happen with no special effort on the part of
the user, and indeed without the user being aware that a filter
exists at all. No particular tools, skills, or knowledge are
needed for such opportunistic attacks. In some configurations, it
may be also possible for an attacker to deliberately create the
conditions for this failure; doing this would require detailed
knowledge and a degree of sophistication. The conditions that
trigger this vulnerability may be frequent and long-lasting in
some production configurations.
SOLUTION
Cisco devices which run Cisco IOS software, but are not affected
by this vulnerability, include the following:
* Cisco routers in the 8xx family are not affected.
* Cisco routers in the ubr9xx family are not affected.
* Cisco routers in the 10xx family are not affected.
* Cisco routers in the 14xx family are not affected.
* Cisco routers in the 16xx family are not affected.
* Cisco routers in the 25xx family are not affected.
* Cisco routers in the 30xx family are not affected (and do
not run 12.0 software).
* Cisco routers in the mc38xx family are not affected.
* Cisco routers in the 40xx family are not affected.
* Cisco routers in the 45xx family are not affected.
* Cisco routers in the 47xx family are not affected.
* Cisco routers in the AS52xx family are not affected
* Cisco routers in the AS53xx family are not affected.
* Catalyst 85xx Switch Routers are not affected (and do not
support NAT).
* GSR12xxx Gigabit Switch Routers are not affected (and do not
support NAT).
* Cisco 64xx universal access concentrators are not affected.
* Cisco AGS/MGS/CGS/AGS+ and IGS routers are not affected (and
do not run 12.0 software).
* LS1010 ATM switches are not affected.
* Catalyst 2900XL LAN switches are not affected.
* The Cisco DistributedDirector is not affected.
If you are not running Cisco IOS software, then you are not
affected by this vulnerability. This vulnerability is created by
bugs in interface hardware drivers. These bugs affect the drivers
for all interface types on affected platforms. The majority of
these driver bugs are grouped under Cisco bug ID CSCdk79747.
Additional bugs IDs include CSCdm22569 (miscellaneous additional
drivers), and CSCdm22299 (Cisco 1400 and 1700 platforms; of these
two, only the 1700 actually suffers packet leakage). A related
bugs is CSCdm22451, which describes a problem with the original
fix for CSCdk79747. All four of these bugs are, or will be, fixed
in the software releases listed in the table below. Many Cisco
software images have been or will be specially reissued to correct
this vulnerability. However, a special release, 12.0(3b),
contains only the security vulnerability fixes, and does not
include any of the other bug fixes from later 12.0 interim
releases. If you were running 12.0(3), and wanted to upgrade to
fix this problem, without taking the risk of instability presented
by the new functionality and additional bug fixes in the 12.0(4)
release, you could upgrade to 12.0(3b). 12.0(3b) represents a
"code branch" from the 12.0(3) base, which merges back into the
12.0 mainline at 12.0(4). In every case, these special releases
are one-time spot fixes, and will not be maintained. The upgrade
path from, say, 12.0(3b), is to 12.0(4).
+-------------+---------------+--------------+-------------+---------------+
| | | | Projected | |
| | | Special spot | first fixed |Projected first|
| | | fix release; | regular or | fixed regular |
| Cisco IOS | | most stable | interim** | maintenance |
|Major Release| Description | immediate | release (fix| release (or |
| | | upgrade path | will carry |other long term|
| | | (see above) | forward into| upgrade path) |
| | | | all later | |
| | | | versions) | |
+-------------+---------------+--------------+-------------+---------------+
| Unaffected releases |
+-------------+---------------+--------------+-------------+---------------+
|11.3 and | | | | |
|earlier, all |Unaffected |Unaffected |Unaffected |Unaffected |
|variants |early releases | | | |
+-------------+---------------+--------------+-------------+---------------+
| | 12.0-based releases |
+-------------+---------------+--------------+-------------+---------------+
|12.0 |12.0 mainline |12.0(3b) |12.0(4), |12.0(4), |
| | | |April 19, |April 19, 1999*|
| | | |1999* | |
+-------------+---------------+--------------+-------------+---------------+
|12.0S |ISP support: | |12.0(4)S |12.0(5)S |
| |7200, RSP, | |(treated as |June 21, 1999* |
| |GSR12000. In | |interim** and| |
| |field test. | - |released to | |
| | | |field testers| |
| | | |on request | |
| | | |only | |
| | | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0T |12.0 new |12.0(3)T2, |12.0(4)T, |12.0(4)T, |
| |technology |April 14, |April 26, |April 26, 1999*|
| |early |1999* |1999* | |
| |deployment | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0DB |12.0 for Cisco | | |Unaffected; not|
| |6400 universal | | |supported on |
| |access | | |affected |
| |concentrator | - | - |platforms. |
| |node switch | | | |
| |processor (lab | | | |
| |use) | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(1)W5(x) |12.0 for | | |Unaffected; not|
| |Catalyst 8500 | - | - |supported on |
| |and LS1010 | | |affected |
| | | | |platforms |
+-------------+---------------+--------------+-------------+---------------+
|12.0(0.6)W5 |One-time early | | |Unaffected; not|
| |deployment for | | |supported on |
| |CH-OC12 module | - | - |affected |
| |in Catalyst | | |platforms. |
| |8500 series | | | |
| |switches | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(1)XA3 |Short-life | |Merged |Upgrade to |
| |release; merged| | |12.0(3)T2 or |
| |to 12.0T at | - | |12.0(4)T |
| |12.0(2)T. | | | |
| | | | | |
| | | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(1)XB |Short-life |Unaffected |Merged |Unaffected; not|
| |release for | | |supported on |
| |Cisco 800 | | |affected |
| |series; merged | | |platforms. |
| |to 12.0T at | | |Regular upgrade|
| |12.0(3)T. | | |path is via |
| | | | |12.0(4)T |
| | | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(2)XC |Short-life | |Merged |Upgrade to |
| |release for new| | |12.0(3)T2 or |
| |features in | | |12.0(4)T |
| |Cisco 2600, | | | |
| |Cisco 3600, | - | | |
| |ubr7200, ubr900| | | |
| |series; merged | | | |
| |to 12.0T at | | | |
| |12.0(3)T. | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(2)XD |Short-life | |Merged |Upgrade to |
| |release for | | |12.0(3)T2 or |
| |ISDN voice | - | |12.0(4)T |
| |features; | | | |
| |merged to 12.0T| | | |
| |at 12.0(3)T. | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(x)XE |Short-life |12.0(2)XE3, |Merged |Upgrade to |
| |release for |April 13, | |12.0(3)T2 or |
| |selected |1999* | |12.0(4)T. |
| |entreprise | | | |
| |features; | | | |
| |merged to 12.0T| | | |
| |at 12.0(3)T | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(2)XF |Short-life spot|Unaffected |Merged |Unaffected; not|
| |release of 12.0| | |supported on |
| |for the | | |affected |
| |Catalyst | | |platforms. |
| |2900XL LAN | | |Regular upgrade|
| |switch; merged | | |path is via |
| |to 12.0T at | | |12.0(4)T. |
| |12.0(4)T. | | | |
+-------------+---------------+--------------+-------------+---------------+
|12.0(2)XG |Short-life | |Merged |Upgrade to |
| |release for | | |12.0(4)T |
| |voice modules | - | | |
| |and features; | | | |
| |merged to 12.0T| | | |
| |at 12.0(4)T. | | | |
+-------------+---------------+--------------+-------------+---------------+
This vulnerability may be worked around by changing the
configuration to avoid using input access lists, by removing NAT
from the configuration, or by separating NAT and filtering
functions into different network devices or onto different
interfaces. Each of these changes has significant
installation-dependent complexity, and must be planned and
executed with a full understanding of the implications of the
change. If the configuration of a router is changed to eliminate
NAT, or to change the interfaces on which NAT is applied, as a
means of avoiding this vulnerability, the router must be reloaded
before the change will have the desired effect.