COMMAND

    cisco

SYSTEMS AFFECTED

    Gigabit Ethernet and Fast Ethernet cards installed in Gigabit Switched Routers

PROBLEM

    Following is based on Cisco Security Advisory.  A defect in  Cisco
    IOS(tm) Software running on  all models of Gigabit  Switch Routers
    (GSRs) configured  with Gigabit  Ethernet or  Fast Ethernet  cards
    may cause  packets to  be forwarded  without correctly  evaluating
    configured  access   control  lists   (ACLs).    In  addition   to
    circumventing the access control lists, it is possible to stop  an
    interface from forwarding  any packets, thus  causing a denial  of
    service.

    Only the  particular combination  of equipment  described in  this
    notice is vulnerable.  No other combinations of routers and  cards
    are  vulnerable.    Network  topologies  that   include  a   large
    flat/bridged network may be more susceptible to this vulnerability
    than some other topologies.  This vulnerability is present in  all
    Cisco  IOS  Software  releases  for  the GSR starting with release
    11.2(15)GS1A.   Versions  of  Cisco  IOS  Software  containing the
    repair  for  this  defect  are  listed  below.   This  defect   is
    documented as Cisco bug ID CSCdp35794.

    When access lists are used on a GSR with Gigabit Ethernet or  Fast
    Ethernet cards  installed and  configured, line  card failures may
    occur  that  require  a  reset  of  the affected card and internal
    queuing data structures may be  corrupted.  The problem is  due to
    differences in the optimized handling of certain types of  packets
    from shared media that  directly affects the evaluation  of access
    control lists  on Gigabit  Ethernet and  Fast Ethernet interfaces.
    The problem is more likely to  occur on a large shared or  bridged
    Ethernet segment,  and is  more evident  with the  use of compiled
    access control lists  (also known as  Turbo ACLs) than  with other
    access  control  lists.   The  problem  cannot occur unless access
    control lists are configured on the affected interfaces.

    Under certain  conditions it  is possible  to circumvent  compiled
    access control lists  with a moderate  probability of success  and
    circumvent extended  access control  lists with  a low probability
    of success. A possible side effect is that the attacked  interface
    may stop  forwarding packets  without logging  an error, requiring
    the card  to be  reset via  software.   Due to  the nature of this
    vulnerability, it  is difficult  to predict  the exact  results of
    any such exploitation.

    Network  topologies  that  include  a  large  flat/bridged network
    (several hundred hosts  or more) may  be more susceptible  to this
    vulnerability than some other  topologies.  However, by  sending a
    large number of  specific packets, it  may be possible  to trigger
    this vulnerability on any topology.

SOLUTION

    There  is  no  workaround.   Customers  are  urged  to  upgrade to
    unaffected  versions  of  software  as  soon as possible.  Gigabit
    Switched  Routers  with  other  cards  are not susceptible to this
    vulnerability.  Similary, Gigabit Ethernet and Fast Ethernet cards
    that  are  installed  in  other  router models are not susceptible
    to this vulnerability.  Specifically, the RSP/7200 series  routers
    are not affected.

    This  vulnerability  affects  Gigabit  Ethernet  and Fast Ethernet
    cards on the following Gigabit Switch Routers:

        * 12008 Gigabit Switch Router
        * 12012 Gigabit Switch Router
        * 12016 Gigabit Switch Router

    This vulnerability affects all releases of Cisco GSR IOS  Software
    starting with 11.2(15)GS1A.  This vulnerability has been corrected
    in the following IOS releases:

        * 11.2(19)GS0.2
        * 12.0(8.0.2)S
        * 12.0(7)S1
        * 12.0(7.4)S
        * 12.0(8.3)SC
        * 12.0(7)SC

    All  subsequent  releases  of  Cisco  IOS  Software  for  the  GSR
    incorporate this fix.  To determine if your system is affected  by
    this problem,  execute the  show version  command while  in global
    configuration mode.  If the output does not contain the words  "GS
    Software" in  the banner  and "FastEthernet"  or "GigabitEthernet"
    in the list  of installed cards,  then the system  is not affected
    by the vulnerability described in this advisory.

    If  show  version  displays  "GS  Software"  and also reports that
    "FastEthernet"  or  "GigabitEthernet"  cards  are installed in the
    system, then the current IOS release number should be compared  to
    those listed above to determine if an upgrade is necessary.