TUCoPS :: Cisco :: ciacj041.txt

Cisco Input Access List Leakage With Nat

-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

            Cisco IOS(R) Software Input Access List Leakage with NAT
               Notice released by Cisco on Tuesday April 13, 1999

April 26, 1999 18:00 GMT                                          Number J-041
______________________________________________________________________________
PROBLEM:       Input access list filters may "leak" packets in certain network
               address translation (NAT) configurations, creating a security
               exposure. Configurations without NAT are not affected.
PLATFORM:      Cisco routers running 12.0-based versions of Cisco IOS software
               (including 12.0, 12.0S, and 12.0T, in all versions up to, but
               not including, 12.0(4), 12.0(4)S, and 12.0(4)T, as well as
               other 12.0 releases). Non-12.0 releases are not affected.
DAMAGE:        The "leakage" does not happen at all times. This may cause
               administrators to believe that filtering is working when it is
               not.
SOLUTION:      Software fixes are being created for this vulnerability, but
               are not yet available for all software versions. Cisco released
               this notice before fixed software is universally available in
               order to enable affected Cisco customers to take immediate
               steps to protect themselves against this vulnerability.
______________________________________________________________________________
VULNERABILITY  The risk is high if your operations fit the profile given in
ASSESSMENT:    the Cisco bulletin's "Who Is Affected" section. For example,
               your risk may be high if you are using input access lists in
               conjunction with NAT on an interface of a Cisco IOS router
               running any 12.0-based version software earlier than the fixed
               versions. Otherwise, there is no risk.
______________________________________________________________________________

[Start Cisco Advisory]
Cisco IOS(R) Software Input Access List Leakage with NAT

Revision 1.2
For release Tuesday, April 13, 1999, 08:00 AM US/Pacific

Cisco internal use only until released on www.cisco.com
==============================================================

Summary
=======
A group of related software bugs (bug IDs given under "Software Versions and
Fixes") create an undesired interaction between network address translation
(NAT) and input access list processing in certain Cisco routers running
12.0-based versions of Cisco IOS software (including 12.0, 12.0S, and 12.0T,
in all versions up to, but not including, 12.0(4), 12.0(4)S, and 12.0(4)T, as
well as other 12.0 releases). Non-12.0 releases are not affected.

This may cause input access list filters to "leak" packets in certain NAT
configurations, creating a security exposure. Configurations without NAT are
not affected.

The failure does not happen at all times, and is less likely under
laboratory conditions than in installed networks. This may cause
administrators to believe that filtering is working when it is not.

Software fixes are being created for this vulnerability, but are not yet
available for all software versions (see the section on "Software Versions
and Fixes"). This notice is being released before fixed software is
universally available in order to enable affected Cisco customers to take
immediate steps to protect themselves against this vulnerability.

Who Is Affected
===============
If you are using input access lists in conjunction with NAT on an interface
of a Cisco IOS router running any 12.0-based version of Cisco IOS software
earlier than the fixed versions listed in the table under "Software Versions
and Fixes", then you are affected by this vulnerability. Non-12.0 releases
are not affected.

Both input access lists and NAT must be in use on the same router interface
in order for this vulnerability to manifest itself. If your configuration
file does not contain the command "ip access-group <acl> in" on the same
interface with "ip nat inside" or "ip nat outside", then you are not affected.
The majority of routers are not configured to use NAT, and are therefore not
affected. NAT routers are most commonly found at Internet boundaries.

Affected Devices
- - --------------
Cisco devices that run Cisco IOS software, and are affected by this
vulnerability, include the following:

   * Cisco routers in the 17xx family are affected.
   * Cisco routers in the 26xx family are affected.
   * Cisco routers in the 36xx family are affected.
   * Cisco routers in the AS58xx family (not the AS52xx or AS53xx) are
     affected.
   * Cisco routers in the 72xx family (including the ubr72xx) are affected.
   * Cisco routers in the RSP70xx family (not non-RSP 70xx routers) are
     affected.
   * Cisco routers in the 75xx family are affected.
   * The Catalyst 5xxx Route-Switch Module (RSM) is affected. The Catalyst
     5xxx switch supervisors themselves are not affected; only the optional
     RSM module is involved.

Cisco devices which run Cisco IOS software, but are not affected by this
vulnerability, include the following:

   * Cisco routers in the 8xx family are not affected.
   * Cisco routers in the ubr9xx family are not affected.
   * Cisco routers in the 10xx family are not affected.
   * Cisco routers in the 14xx family are not affected.
   * Cisco routers in the 16xx family are not affected.
   * Cisco routers in the 25xx family are not affected.
   * Cisco routers in the 30xx family are not affected (and do not run 12.0
     software).
   * Cisco routers in the mc38xx family are not affected.
   * Cisco routers in the 40xx family are not affected.
   * Cisco routers in the 45xx family are not affected.
   * Cisco routers in the 47xx family are not affected.
   * Cisco routers in the AS52xx family are not affected
   * Cisco routers in the AS53xx family are not affected.
   * Catalyst 85xx Switch Routers are not affected (and do not support NAT).
   * GSR12xxx Gigabit Switch Routers are not affected (and do not support
     NAT).
   * Cisco 64xx universal access concentrators are not affected.
   * Cisco AGS/MGS/CGS/AGS+ and IGS routers are not affected (and do not run
     12.0 software).
   * LS1010 ATM switches are not affected.
   * Catalyst 2900XL LAN switches are not affected.
   * The Cisco DistributedDirector is not affected.

If you are unsure whether your device is running classic Cisco IOS software,
log into the device and issue the command "show version". Cisco IOS software
will identify itself simply as "IOS" or "Internetwork Operating System
Software". Other Cisco devices either will not have the "show version"
command, or will give different output.

If you are not running Cisco IOS software, then you are not affected by this
vulnerability. Cisco devices which do not run Cisco IOS software, and are
not affected by this vulnerability, include the following:

   * 7xx dialup routers (750, 760, and 770 series) are not affected.
   * Catalyst 19xx, 28xx, 29xx, 3xxx, and 5xxx LAN switches are not
     affected.
   * WAN switching products in the IGX and BPX lines are not affected.
   * The MGX (formerly known as the AXIS shelf) is not affected.
   * No host-based software is affected.
   * The Cisco PIX Firewall is not affected.
   * The Cisco LocalDirector is not affected.
   * The Cisco Cache Engine is not affected.

Impact
======
The severity of the impact may vary, depending on the device type,
configuration and environment, from sporadic leakage of occasional packets
to consistent leakage of significant classes of packets. The environment
dependencies are extremely complex and difficult to characterize, but
essentially all vulnerable configurations are affected to some degree.
Customers with affected devices are advised to assume that the vulnerability
affects their networks whenever input access lists are used together with
NAT in 12.0-based software.

This vulnerability may allow users to circumvent network security filters,
and therefore security policies. This may happen with no special effort on
the part of the user, and indeed without the user being aware that a filter
exists at all. No particular tools, skills, or knowledge are needed for such
opportunistic attacks. In some configurations, it may be also possible for
an attacker to deliberately create the conditions for this failure; doing
this would require detailed knowledge and a degree of sophistication.

The conditions that trigger this vulnerability may be frequent and
long-lasting in some production configurations.

Software Versions and Fixes
===========================
This vulnerability is created by bugs in interface hardware drivers. These
bugs affect the drivers for all interface types on affected platforms. The
majority of these driver bugs are grouped under Cisco bug ID CSCdk79747.
Additional bugs IDs include CSCdm22569 (miscellaneous additional drivers),
and CSCdm22299 (Cisco 1400 and 1700 platforms; of these two, only the 1700
actually suffers packet leakage).

A related bugs is CSCdm22451, which describes a problem with the original
fix for CSCdk79747.

All four of these bugs are, or will be, fixed in the software releases
listed in the table below.

Many Cisco software images have been or will be specially reissued to
correct this vulnerability. For example, regular released version 12.0(3) is
vulnerable, as are interim versions 12.0(3.1) through 12.0(3.7) The first
fixed version of 12.0 mainline software is 12.0(4). However, a special
release, 12.0(3b), contains only the security vulnerability fixes, and does
not include any of the other bug fixes from later 12.0 interim releases.

If you were running 12.0(3), and wanted to upgrade to fix this problem,
without taking the risk of instability presented by the new functionality
and additional bug fixes in the 12.0(4) release, you could upgrade to
12.0(3b). 12.0(3b) represents a "code branch" from the 12.0(3) base, which
merges back into the 12.0 mainline at 12.0(4).

In every case, these special releases are one-time spot fixes, and will not
be maintained. The upgrade path from, say, 12.0(3b), is to 12.0(4).

Note that fixes are not yet available for some affected releases. Cisco is
releasing this notice before the general release of fixed software because
of the possibility that this vulnerability may be exploited in the interim.
All fix dates in the table are estimates and are subject to change.

+-------------+---------------+--------------+-------------+---------------+
|             |               |              |  Projected  |               |
|             |               | Special spot | first fixed |Projected first|
|             |               | fix release; |  regular or | fixed regular |
|  Cisco IOS  |               |  most stable |  interim**  |  maintenance  |
|Major Release|  Description  |   immediate  | release (fix|  release (or  |
|             |               | upgrade path |  will carry |other long term|
|             |               | (see above)  | forward into| upgrade path) |
|             |               |              |  all later  |               |
|             |               |              |  versions)  |               |
+-------------+---------------+--------------+-------------+---------------+
|                           Unaffected releases                            |
+-------------+---------------+--------------+-------------+---------------+
|11.3 and     |               |              |             |               |
|earlier, all |Unaffected     |Unaffected    |Unaffected   |Unaffected     |
|variants     |early releases |              |             |               |
+-------------+---------------+--------------+-------------+---------------+
|             |             12.0-based releases                            |
+-------------+---------------+--------------+-------------+---------------+
|12.0         |12.0 mainline  |12.0(3b)      |12.0(4),     |12.0(4),       |
|             |               |              |April 19,    |April 19, 1999*|
|             |               |              |1999*        |               |
+-------------+---------------+--------------+-------------+---------------+
|12.0S        |ISP support:   |              |12.0(4)S     |12.0(5)S       |
|             |7200, RSP,     |              |(treated as  |June 21, 1999* |
|             |GSR12000. In   |              |interim** and|               |
|             |field test.    |      -       |released to  |               |
|             |               |              |field testers|               |
|             |               |              |on request   |               |
|             |               |              |only         |               |
|             |               |              |             |               |
+-------------+---------------+--------------+-------------+---------------+
|12.0T        |12.0 new       |12.0(3)T2,    |12.0(4)T,    |12.0(4)T,      |
|             |technology     |April 14,     |April 26,    |April 26, 1999*|
|             |early          |1999*         |1999*        |               |
|             |deployment     |              |             |               |
+-------------+---------------+--------------+-------------+---------------+
|12.0DB       |12.0 for Cisco |              |             |Unaffected; not|
|             |6400 universal |              |             |supported on   |
|             |access         |              |             |affected       |
|             |concentrator   |      -       |      -      |platforms.     |
|             |node switch    |              |             |               |
|             |processor (lab |              |             |               |
|             |use)           |              |             |               |
+-------------+---------------+--------------+-------------+---------------+
|12.0(1)W5(x) |12.0 for       |              |             |Unaffected; not|
|             |Catalyst 8500  |      -       |      -      |supported on   |
|             |and LS1010     |              |             |affected       |
|             |               |              |             |platforms      |
+-------------+---------------+--------------+-------------+---------------+
|12.0(0.6)W5  |One-time early |              |             |Unaffected; not|
|             |deployment for |              |             |supported on   |
|             |CH-OC12 module |      -       |      -      |affected       |
|             |in Catalyst    |              |             |platforms.     |
|             |8500 series    |              |             |               |
|             |switches       |              |             |               |
+-------------+---------------+--------------+-------------+---------------+
|12.0(1)XA3   |Short-life     |              |Merged       |Upgrade to     |
|             |release; merged|              |             |12.0(3)T2 or   |
|             |to 12.0T at    |      -       |             |12.0(4)T       |
|             |12.0(2)T.      |              |             |               |
|             |               |              |             |               |
|             |               |              |             |               |
+-------------+---------------+--------------+-------------+---------------+
|12.0(1)XB    |Short-life     |Unaffected    |Merged       |Unaffected; not|
|             |release for    |              |             |supported on   |
|             |Cisco 800      |              |             |affected       |
|             |series; merged |              |             |platforms.     |
|             |to 12.0T at    |              |             |Regular upgrade|
|             |12.0(3)T.      |              |             |path is via    |
|             |               |              |             |12.0(4)T       |
|             |               |              |             |               |
+-------------+---------------+--------------+-------------+---------------+
|12.0(2)XC    |Short-life     |              |Merged       |Upgrade to     |
|             |release for new|              |             |12.0(3)T2 or   |
|             |features in    |              |             |12.0(4)T       |
|             |Cisco 2600,    |              |             |               |
|             |Cisco 3600,    |      -       |             |               |
|             |ubr7200, ubr900|              |             |               |
|             |series; merged |              |             |               |
|             |to 12.0T at    |              |             |               |
|             |12.0(3)T.      |              |             |               |
+-------------+---------------+--------------+-------------+---------------+
|12.0(2)XD    |Short-life     |              |Merged       |Upgrade to     |
|             |release for    |              |             |12.0(3)T2 or   |
|             |ISDN voice     |      -       |             |12.0(4)T       |
|             |features;      |              |             |               |
|             |merged to 12.0T|              |             |               |
|             |at 12.0(3)T.   |              |             |               |
+-------------+---------------+--------------+-------------+---------------+
|12.0(x)XE    |Short-life     |12.0(2)XE3,   |Merged       |Upgrade to     |
|             |release for    |April 13,     |             |12.0(3)T2 or   |
|             |selected       |1999*         |             |12.0(4)T.      |
|             |entreprise     |              |             |               |
|             |features;      |              |             |               |
|             |merged to 12.0T|              |             |               |
|             |at 12.0(3)T    |              |             |               |
+-------------+---------------+--------------+-------------+---------------+
|12.0(2)XF    |Short-life spot|Unaffected    |Merged       |Unaffected; not|
|             |release of 12.0|              |             |supported on   |
|             |for the        |              |             |affected       |
|             |Catalyst       |              |             |platforms.     |
|             |2900XL LAN     |              |             |Regular upgrade|
|             |switch; merged |              |             |path is via    |
|             |to 12.0T at    |              |             |12.0(4)T.      |
|             |12.0(4)T.      |              |             |               |
+-------------+---------------+--------------+-------------+---------------+
|12.0(2)XG    |Short-life     |              |Merged       |Upgrade to     |
|             |release for    |              |             |12.0(4)T       |
|             |voice modules  |      -       |             |               |
|             |and features;  |              |             |               |
|             |merged to 12.0T|              |             |               |
|             |at 12.0(4)T.   |              |             |               |
+-------------+---------------+--------------+-------------+---------------+

* All dates are tentative and subject to change

** Interim releases are subjected to less internal testing and verification
than are regular releases, may have serious bugs, and should be installed
with great care.

Getting Fixed Software
- --------------------
Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers. Customers with service contracts may upgrade to any
software version. Customers without contracts may upgrade only within a
single row of the table above, except that any available fixed software will
be provided to any customer who can use it and for whom the standard fixed
software is not yet available. As always, customers may install only the
feature sets they have purchased.

Note that not all fixed software is available as of the date of this notice.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should
be obtained via the Software Center on Cisco's Worldwide Web site at
http://www.cisco.com.

Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:

   * +1 800 553 2447 (toll-free from within North America)
   * +1 408 526 7209 (toll call from anywhere in the world)
   * e-mail: tac@cisco.com

Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through
the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

Workarounds
===========
This vulnerability may be worked around by changing the configuration to
avoid using input access lists, by removing NAT from the configuration, or
by separating NAT and filtering functions into different network devices or
onto different interfaces. Each of these changes has significant
installation-dependent complexity, and must be planned and executed with a
full understanding of the implications of the change.

If the configuration of a router is changed to eliminate NAT, or to change
the interfaces on which NAT is applied, as a means of avoiding this
vulnerability, the router must be reloaded before the change will have the
desired effect.

Exploitation and Public Announcements
=====================================
Cisco knows of no public announcements or discussion of this vulnerability
before the date of this notice. Cisco has had no reports of malicious
exploitation of this vulnerability. However, the nature of this
vulnerability is such that it may create security exposures without
knowingly being "exploited" as the term is usually used with respect to
security vulnerabilities.

This vulnerability was reported to Cisco by several customers who found it
during in-service testing.

Status of This Notice
=====================
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all of the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice.

Distribution
- ----------
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/770/iosnatacl-pub.shtml . In addition to
Worldwide Web posting, the initial version of this notice is being sent to
the following e-mail and Usenet news recipients:

   * cust-security-announce@cisco.com
   * bugtraq@netspace.org
   * first-teams@first.org (includes CERT/CC)
   * cisco@spot.colorado.edu
   * comp.dcom.sys.cisco
   * firewalls@greatcircle.com
   * Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.

Revision History
- --------------
 Revision 1.0,       First release candidate version
 16:40 US/Pacific
 8-APR-1999

 Revision 1.1,       Remove extraneous editor's comments
 18:20 US/Pacific
 8-APR-1999

 Revision 1.2,       Typographical cleanup, clarification of affected releases
 12:00 US/Pacific    in summary section, remove extraneous bug reference.
 9-APR-1999

Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's Worldwide
Web site at
http://www.cisco.com/warp/public/791/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security notices.

- ------------------------------------------------------------------------
This notice is copyright 1999 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
all date and version information.
- ------------------------------------------------------------------------
[End Cisco Advisory]

______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Cisco for the
information contained in this bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

J-031: Debian Linux "Super" package Buffer Overflow
J-032: Windows Backdoors Update II:
J-033: SGI X Server Font Vulnerability
J-034: Cisco 7xx TCP and HTTP Vulnerabilities
J-035: Linux Blind TCP Spoofing
J-036: LDAP Buffer overflow against Microsoft Directory Services
J-037: W97M.Melissa Word Macro Virus
J-038: HP-UX Vulnerabilities (hpterm, ftp)
J-039: HP-UX Vulnerabilities (MC/ServiceGuard & MC/LockManager, DES
J-040: HP-UX Security Vulnerability in sendmail




-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBNySN3LnzJzdsy3QZAQEpkQP+OVYySibKAzOPEQhUUeWd82ZUPbMtO9Zb
kpeIUZlqWxvyLoqiLbjj9S2SXULEzsq/MiMR7E0wIVS/xvvSkLzQN0Kl0yLNg/0/
jmEGHgD1pLoTI71s9L7tk8jDPrJh3UPPnDvHVMPtz0wtLOEvC1ZlCKUAQeHHay0x
3d3owoVvjeQ=
=eDzy
-----END PGP SIGNATURE-----



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH