COMMAND
Gigabit Switch
SYSTEMS AFFECTED
Cisco Gigabit Switch (12008 and 12012 GSRs) running Cisco IOS
11.2(14)GS2 through 11.2(15)GS3
PROBLEM
Following is based on Cisco security notice. Cisco 12000 series
Gigabit Switch Routers running certain versions of Cisco IOS
software forward unauthorized traffic due to an error encountered
while processing the established keyword in an access-list
statement. The resulting vulnerability could be exploited to
circumvent a site's security policy. Only Cisco Gigabit Switch
Routers (currently the 12008 and 12012 GSRs) running Cisco IOS
software release 11.2(14)GS2 through 11.2(15)GS3 are vulnerable.
A GSR running release 11.2(14)GS2 through 11.2(15)GS3 is
vulnerable if the keyword established is used in an access-list
statement.
The Cisco 12000 series Gigabit Switch Router (GSR) is the only
Cisco product that is affected by this vulnerability. Currently
the 12008 GSR and the 12012 GSR are the only two models in the
series. No other Cisco product is affected by this vulnerability.
The Cisco 12000 series Gigabit Switch Router is a large rack-mount
device, approximately twenty to sixty inches (0.5 to 1.5meters)
tall and twenty inches (0.5 meters) deep, that requires
specialized power connections to supply forty to sixty amps of
electricity. GSRs are typically used by major Internet Service
Providers at their most important interconnection points. If you
do not have a Cisco 12000 series GSR, then you are not affected
by the vulnerability described in this notice.
When an affected Cisco Gigabit Switch Router (GSR) executes the
following command on an interface:
access-list 101 permit tcp any any established
the established keyword is ignored. This will cause the GSR to
forward all TCP traffic for the relevant interface, contrary to
the restriction intended in the access-list statement. This
vulnerability can be exploited to circumvent your security policy,
resulting in unauthorized access to systems and unauthorized
release of information. This may be inadvertent or intentional.
Exploiting the flaw requires no special tools or knowledge. It
can be determined if your system is vulnerable by attempting to
exploit the vulnerability. It is not necessary to make an attempt
if it can be determined that you are running one of the affected
releases of software on a GSR and a copy of the configuration can
be obtained or reverse-engineered.
This bug, documented as CSCdm36197, initially appears in
11.2(14)GS2, the first release of Cisco IOS software to support
access lists on the GSR. The bug is present in versions of Cisco
IOS software from 11.2(14)GS2 to 11.2(15)GS3, inclusive. The
earliest repaired version is 11.2(15)GS5.
SOLUTION
If you are running any vulnerable version of 11.2GS and wish to
resolve this problem with the least possible change to your
existing version of software, you should upgrade to 11.2(15)GS5
or later. This bug is not present in any release of 12.0S, so
upgrading to 12.0S or later will also remove the vulnerability.
Cisco is offering free software upgrades to repair this
vulnerability for all affected customers. Customers with current
support contracts may upgrade to any software version. Customers
without support contracts that are running release 11.2(14)GS2
through 11.2(15)GS3 may upgrade to 11.2(15)GS5 or any later 11.2GS
release that has been repaired. As always, customers may install
only the feature sets they have purchased. Customers with
contracts should obtain upgraded software through their normal
update channels. For most customers, this means that the upgrades
should be obtained via the Software Center on Cisco's Worldwide
Web site at
http://www.cisco.com/
If you need the functionality provided by the established keyword
for an access-list command, there is no reasonable workaround.
Customers may wish to consider modifying the policies on other
network components, if possible, to limit exploitation of this
vulnerability until such time as they have downloaded a fixed
version of software to the affected GSR.