COMMAND

    Cisco IOS(R) Software Input Access List Leakage with NAT

SYSTEMS AFFECTED

    Cisco (see below for details)

PROBLEM

    Following is based on CISCO Advisory.  A group of related software
    bugs  create  an  undesired  interaction  between  network address
    translation  (NAT)  and  input  access  list processing in certain
    Cisco routers  running 12.0-based  versions of  Cisco IOS software
    (including 12.0, 12.0S, and 12.0T, in all versions up to, but  not
    including, 12.0(4), 12.0(4)S, and 12.0(4)T, as well as other  12.0
    releases).  Non-12.0  releases are not  affected.  This  may cause
    input  access  list  filters  to  "leak"  packets  in  certain NAT
    configurations,  creating  a  security  exposure.   Configurations
    without NAT are not affected.  The failure does not happen at  all
    times,  and  is  less  likely  under laboratory conditions than in
    installed networks.  This may cause administrators to believe that
    filtering is working when it is not.

    If you are using input access lists in conjunction with NAT on  an
    interface of a Cisco IOS router running any 12.0-based version  of
    Cisco IOS software earlier than  the fixed versions listed in  the
    table under "Software Versions  and Fixes", then you  are affected
    by this vulnerability. Non-12.0  releases are not affected.   Both
    input access  lists and  NAT must  be in  use on  the same  router
    interface in order for this vulnerability to manifest itself.   If
    your  configuration  file  does   not  contain  the  command   "ip
    access-group <acl> in" on the same interface with "ip nat  inside"
    or "ip nat outside", then you  are not affected.  The majority  of
    routers  are  not  configured  to  use  NAT, and are therefore not
    affected.  NAT  routers  are  most  commonly  found  at   Internet
    boundaries.   Affected devices  are Cisco  devices that  run Cisco
    IOS software, and are affected by this vulnerability, include  the
    following:

        * Cisco routers in the 17xx family are affected.
        * Cisco routers in the 26xx family are affected.
        * Cisco routers in the 36xx family are affected.
        * Cisco  routers  in  the  AS58xx  family  (not the AS52xx  or
          AS53xx) are affected.
        * Cisco routers in the 72xx family (including the ubr72xx) are
          affected.
        * Cisco  routers  in  the  RSP70xx  family  (not non-RSP  70xx
          routers) are affected.
        * Cisco routers in the 75xx family are affected.
        * The Catalyst 5xxx Route-Switch Module (RSM) is affected. The
          Catalyst 5xxx switch supervisors themselves are not affected
          only the optional RSM module is involved.

    If you are unsure whether your device is running classic Cisco IOS
    software, log into the device and issue the command "show version"
    Cisco  IOS  software  will  identify  itself  simply  as  "IOS" or
    "Internetwork  Operating  System  Software".   Other Cisco devices
    either will  not have  the "show  version" command,  or will  give
    different output.

    The severity of the impact may vary, depending on the device type,
    configuration and environment, from sporadic leakage of occasional
    packets to consistent leakage  of significant classes of  packets.
    The environment dependencies  are extremely complex  and difficult
    to characterize, but essentially all vulnerable configurations are
    affected  to  some  degree.   Customers  with affected devices are
    advised to  assume that  the vulnerability  affects their networks
    whenever  input  access  lists  are  used  together  with  NAT  in
    12.0-based  software.   This  vulnerability  may  allow  users  to
    circumvent  network  security  filters,  and  therefore   security
    policies.  This may happen with  no special effort on the part  of
    the user, and  indeed without the  user being aware  that a filter
    exists at  all.   No particular  tools, skills,  or knowledge  are
    needed for such opportunistic attacks.  In some configurations, it
    may be also  possible for an  attacker to deliberately  create the
    conditions for  this failure;  doing this  would require  detailed
    knowledge and  a degree  of sophistication.   The conditions  that
    trigger this  vulnerability may  be frequent  and long-lasting  in
    some production configurations.

SOLUTION

    Cisco devices which run Cisco  IOS software, but are not  affected
    by this vulnerability, include the following:

        * Cisco routers in the 8xx family are not affected.
        * Cisco routers in the ubr9xx family are not affected.
        * Cisco routers in the 10xx family are not affected.
        * Cisco routers in the 14xx family are not affected.
        * Cisco routers in the 16xx family are not affected.
        * Cisco routers in the 25xx family are not affected.
        * Cisco routers  in the 30xx  family are not  affected (and do
          not run 12.0 software).
        * Cisco routers in the mc38xx family are not affected.
        * Cisco routers in the 40xx family are not affected.
        * Cisco routers in the 45xx family are not affected.
        * Cisco routers in the 47xx family are not affected.
        * Cisco routers in the AS52xx family are not affected
        * Cisco routers in the AS53xx family are not affected.
        * Catalyst 85xx  Switch Routers are  not affected (and  do not
          support NAT).
        * GSR12xxx Gigabit Switch Routers are not affected (and do not
          support NAT).
        * Cisco 64xx universal access concentrators are not affected.
        * Cisco AGS/MGS/CGS/AGS+ and IGS routers are not affected (and
          do not run 12.0 software).
        * LS1010 ATM switches are not affected.
        * Catalyst 2900XL LAN switches are not affected.
        * The Cisco DistributedDirector is not affected.

    If you  are not  running Cisco  IOS software,  then you   are  not
    affected by this vulnerability.  This vulnerability is created  by
    bugs in interface hardware drivers.  These bugs affect the drivers
    for all  interface types  on affected  platforms. The  majority of
    these  driver  bugs  are  grouped  under  Cisco bug ID CSCdk79747.
    Additional bugs IDs  include CSCdm22569 (miscellaneous  additional
    drivers), and CSCdm22299 (Cisco 1400 and 1700 platforms; of  these
    two, only the  1700 actually suffers  packet leakage).   A related
    bugs is CSCdm22451,  which describes a  problem with the  original
    fix for CSCdk79747.  All four of these bugs are, or will be, fixed
    in the software  releases listed in  the table below.   Many Cisco
    software images have been or will be specially reissued to correct
    this  vulnerability.   However,   a  special  release,   12.0(3b),
    contains  only  the  security  vulnerability  fixes,  and does not
    include  any  of  the  other  bug  fixes  from  later 12.0 interim
    releases.  If you were  running 12.0(3), and wanted to  upgrade to
    fix this problem, without taking the risk of instability presented
    by the new functionality and  additional bug fixes in the  12.0(4)
    release,  you  could  upgrade  to  12.0(3b). 12.0(3b) represents a
    "code branch" from  the 12.0(3) base,  which merges back  into the
    12.0 mainline at 12.0(4).   In every case, these special  releases
    are one-time spot fixes, and  will not be maintained. The  upgrade
    path from, say, 12.0(3b), is to 12.0(4).

    +-------------+---------------+--------------+-------------+---------------+
    |             |               |              |  Projected  |               |
    |             |               | Special spot | first fixed |Projected first|
    |             |               | fix release; |  regular or | fixed regular |
    |  Cisco IOS  |               |  most stable |  interim**  |  maintenance  |
    |Major Release|  Description  |   immediate  | release (fix|  release (or  |
    |             |               | upgrade path |  will carry |other long term|
    |             |               | (see above)  | forward into| upgrade path) |
    |             |               |              |  all later  |               |
    |             |               |              |  versions)  |               |
    +-------------+---------------+--------------+-------------+---------------+
    |                           Unaffected releases                            |
    +-------------+---------------+--------------+-------------+---------------+
    |11.3 and     |               |              |             |               |
    |earlier, all |Unaffected     |Unaffected    |Unaffected   |Unaffected     |
    |variants     |early releases |              |             |               |
    +-------------+---------------+--------------+-------------+---------------+
    |             |             12.0-based releases                            |
    +-------------+---------------+--------------+-------------+---------------+
    |12.0         |12.0 mainline  |12.0(3b)      |12.0(4),     |12.0(4),       |
    |             |               |              |April 19,    |April 19, 1999*|
    |             |               |              |1999*        |               |
    +-------------+---------------+--------------+-------------+---------------+
    |12.0S        |ISP support:   |              |12.0(4)S     |12.0(5)S       |
    |             |7200, RSP,     |              |(treated as  |June 21, 1999* |
    |             |GSR12000. In   |              |interim** and|               |
    |             |field test.    |      -       |released to  |               |
    |             |               |              |field testers|               |
    |             |               |              |on request   |               |
    |             |               |              |only         |               |
    |             |               |              |             |               |
    +-------------+---------------+--------------+-------------+---------------+
    |12.0T        |12.0 new       |12.0(3)T2,    |12.0(4)T,    |12.0(4)T,      |
    |             |technology     |April 14,     |April 26,    |April 26, 1999*|
    |             |early          |1999*         |1999*        |               |
    |             |deployment     |              |             |               |
    +-------------+---------------+--------------+-------------+---------------+
    |12.0DB       |12.0 for Cisco |              |             |Unaffected; not|
    |             |6400 universal |              |             |supported on   |
    |             |access         |              |             |affected       |
    |             |concentrator   |      -       |      -      |platforms.     |
    |             |node switch    |              |             |               |
    |             |processor (lab |              |             |               |
    |             |use)           |              |             |               |
    +-------------+---------------+--------------+-------------+---------------+
    |12.0(1)W5(x) |12.0 for       |              |             |Unaffected; not|
    |             |Catalyst 8500  |      -       |      -      |supported on   |
    |             |and LS1010     |              |             |affected       |
    |             |               |              |             |platforms      |
    +-------------+---------------+--------------+-------------+---------------+
    |12.0(0.6)W5  |One-time early |              |             |Unaffected; not|
    |             |deployment for |              |             |supported on   |
    |             |CH-OC12 module |      -       |      -      |affected       |
    |             |in Catalyst    |              |             |platforms.     |
    |             |8500 series    |              |             |               |
    |             |switches       |              |             |               |
    +-------------+---------------+--------------+-------------+---------------+
    |12.0(1)XA3   |Short-life     |              |Merged       |Upgrade to     |
    |             |release; merged|              |             |12.0(3)T2 or   |
    |             |to 12.0T at    |      -       |             |12.0(4)T       |
    |             |12.0(2)T.      |              |             |               |
    |             |               |              |             |               |
    |             |               |              |             |               |
    +-------------+---------------+--------------+-------------+---------------+
    |12.0(1)XB    |Short-life     |Unaffected    |Merged       |Unaffected; not|
    |             |release for    |              |             |supported on   |
    |             |Cisco 800      |              |             |affected       |
    |             |series; merged |              |             |platforms.     |
    |             |to 12.0T at    |              |             |Regular upgrade|
    |             |12.0(3)T.      |              |             |path is via    |
    |             |               |              |             |12.0(4)T       |
    |             |               |              |             |               |
    +-------------+---------------+--------------+-------------+---------------+
    |12.0(2)XC    |Short-life     |              |Merged       |Upgrade to     |
    |             |release for new|              |             |12.0(3)T2 or   |
    |             |features in    |              |             |12.0(4)T       |
    |             |Cisco 2600,    |              |             |               |
    |             |Cisco 3600,    |      -       |             |               |
    |             |ubr7200, ubr900|              |             |               |
    |             |series; merged |              |             |               |
    |             |to 12.0T at    |              |             |               |
    |             |12.0(3)T.      |              |             |               |
    +-------------+---------------+--------------+-------------+---------------+
    |12.0(2)XD    |Short-life     |              |Merged       |Upgrade to     |
    |             |release for    |              |             |12.0(3)T2 or   |
    |             |ISDN voice     |      -       |             |12.0(4)T       |
    |             |features;      |              |             |               |
    |             |merged to 12.0T|              |             |               |
    |             |at 12.0(3)T.   |              |             |               |
    +-------------+---------------+--------------+-------------+---------------+
    |12.0(x)XE    |Short-life     |12.0(2)XE3,   |Merged       |Upgrade to     |
    |             |release for    |April 13,     |             |12.0(3)T2 or   |
    |             |selected       |1999*         |             |12.0(4)T.      |
    |             |entreprise     |              |             |               |
    |             |features;      |              |             |               |
    |             |merged to 12.0T|              |             |               |
    |             |at 12.0(3)T    |              |             |               |
    +-------------+---------------+--------------+-------------+---------------+
    |12.0(2)XF    |Short-life spot|Unaffected    |Merged       |Unaffected; not|
    |             |release of 12.0|              |             |supported on   |
    |             |for the        |              |             |affected       |
    |             |Catalyst       |              |             |platforms.     |
    |             |2900XL LAN     |              |             |Regular upgrade|
    |             |switch; merged |              |             |path is via    |
    |             |to 12.0T at    |              |             |12.0(4)T.      |
    |             |12.0(4)T.      |              |             |               |
    +-------------+---------------+--------------+-------------+---------------+
    |12.0(2)XG    |Short-life     |              |Merged       |Upgrade to     |
    |             |release for    |              |             |12.0(4)T       |
    |             |voice modules  |      -       |             |               |
    |             |and features;  |              |             |               |
    |             |merged to 12.0T|              |             |               |
    |             |at 12.0(4)T.   |              |             |               |
    +-------------+---------------+--------------+-------------+---------------+

    This  vulnerability  may   be  worked  around   by  changing   the
    configuration to avoid using  input access lists, by  removing NAT
    from  the  configuration,  or  by  separating  NAT  and  filtering
    functions  into  different  network  devices  or  onto   different
    interfaces.     Each    of   these    changes   has    significant
    installation-dependent  complexity,  and   must  be  planned   and
    executed  with  a  full  understanding  of the implications of the
    change.  If the configuration of a router is changed to  eliminate
    NAT, or to  change the interfaces  on which NAT  is applied, as  a
    means of avoiding this vulnerability, the router must be  reloaded
    before the change will have the desired effect.