COMMAND
cisco
SYSTEMS AFFECTED
Gigabit Ethernet and Fast Ethernet cards installed in Gigabit Switched Routers
PROBLEM
Following is based on Cisco Security Advisory. A defect in Cisco
IOS(tm) Software running on all models of Gigabit Switch Routers
(GSRs) configured with Gigabit Ethernet or Fast Ethernet cards
may cause packets to be forwarded without correctly evaluating
configured access control lists (ACLs). In addition to
circumventing the access control lists, it is possible to stop an
interface from forwarding any packets, thus causing a denial of
service.
Only the particular combination of equipment described in this
notice is vulnerable. No other combinations of routers and cards
are vulnerable. Network topologies that include a large
flat/bridged network may be more susceptible to this vulnerability
than some other topologies. This vulnerability is present in all
Cisco IOS Software releases for the GSR starting with release
11.2(15)GS1A. Versions of Cisco IOS Software containing the
repair for this defect are listed below. This defect is
documented as Cisco bug ID CSCdp35794.
When access lists are used on a GSR with Gigabit Ethernet or Fast
Ethernet cards installed and configured, line card failures may
occur that require a reset of the affected card and internal
queuing data structures may be corrupted. The problem is due to
differences in the optimized handling of certain types of packets
from shared media that directly affects the evaluation of access
control lists on Gigabit Ethernet and Fast Ethernet interfaces.
The problem is more likely to occur on a large shared or bridged
Ethernet segment, and is more evident with the use of compiled
access control lists (also known as Turbo ACLs) than with other
access control lists. The problem cannot occur unless access
control lists are configured on the affected interfaces.
Under certain conditions it is possible to circumvent compiled
access control lists with a moderate probability of success and
circumvent extended access control lists with a low probability
of success. A possible side effect is that the attacked interface
may stop forwarding packets without logging an error, requiring
the card to be reset via software. Due to the nature of this
vulnerability, it is difficult to predict the exact results of
any such exploitation.
Network topologies that include a large flat/bridged network
(several hundred hosts or more) may be more susceptible to this
vulnerability than some other topologies. However, by sending a
large number of specific packets, it may be possible to trigger
this vulnerability on any topology.
SOLUTION
There is no workaround. Customers are urged to upgrade to
unaffected versions of software as soon as possible. Gigabit
Switched Routers with other cards are not susceptible to this
vulnerability. Similary, Gigabit Ethernet and Fast Ethernet cards
that are installed in other router models are not susceptible
to this vulnerability. Specifically, the RSP/7200 series routers
are not affected.
This vulnerability affects Gigabit Ethernet and Fast Ethernet
cards on the following Gigabit Switch Routers:
* 12008 Gigabit Switch Router
* 12012 Gigabit Switch Router
* 12016 Gigabit Switch Router
This vulnerability affects all releases of Cisco GSR IOS Software
starting with 11.2(15)GS1A. This vulnerability has been corrected
in the following IOS releases:
* 11.2(19)GS0.2
* 12.0(8.0.2)S
* 12.0(7)S1
* 12.0(7.4)S
* 12.0(8.3)SC
* 12.0(7)SC
All subsequent releases of Cisco IOS Software for the GSR
incorporate this fix. To determine if your system is affected by
this problem, execute the show version command while in global
configuration mode. If the output does not contain the words "GS
Software" in the banner and "FastEthernet" or "GigabitEthernet"
in the list of installed cards, then the system is not affected
by the vulnerability described in this advisory.
If show version displays "GS Software" and also reports that
"FastEthernet" or "GigabitEthernet" cards are installed in the
system, then the current IOS release number should be compared to
those listed above to determine if an upgrade is necessary.