Vulnerability

    Gigabit Switch

Affected

    Cisco  Gigabit  Switch  (12008  and  12012 GSRs) running Cisco IOS
    11.2(14)GS2 through 11.2(15)GS3

Description

    Following is based on Cisco  security notice.  Cisco 12000  series
    Gigabit  Switch  Routers  running  certain  versions  of Cisco IOS
    software forward unauthorized traffic due to an error  encountered
    while  processing  the  established  keyword  in  an   access-list
    statement.   The  resulting  vulnerability  could  be exploited to
    circumvent a site's  security policy.   Only Cisco Gigabit  Switch
    Routers (currently  the 12008  and 12012  GSRs) running  Cisco IOS
    software release 11.2(14)GS2  through 11.2(15)GS3 are  vulnerable.
    A  GSR   running  release   11.2(14)GS2  through   11.2(15)GS3  is
    vulnerable if the  keyword established is  used in an  access-list
    statement.

    The Cisco  12000 series  Gigabit Switch  Router (GSR)  is the only
    Cisco product that is  affected by this vulnerability.   Currently
    the 12008 GSR  and the 12012  GSR are the  only two models  in the
    series. No other Cisco product is affected by this  vulnerability.
    The Cisco 12000 series Gigabit Switch Router is a large rack-mount
    device, approximately  twenty to  sixty inches  (0.5 to 1.5meters)
    tall  and  twenty   inches  (0.5  meters)   deep,  that   requires
    specialized power  connections to  supply forty  to sixty  amps of
    electricity.  GSRs  are typically used  by major Internet  Service
    Providers at their most important interconnection points.  If  you
    do not have a  Cisco 12000 series GSR,  then you are not  affected
    by the vulnerability described in this notice.

    When an affected  Cisco Gigabit Switch  Router (GSR) executes  the
    following command on an interface:

        access-list 101 permit tcp any any established

    the established keyword  is ignored.   This will cause  the GSR to
    forward all TCP  traffic for the  relevant interface, contrary  to
    the  restriction  intended  in  the  access-list  statement.  This
    vulnerability can be exploited to circumvent your security policy,
    resulting  in  unauthorized  access  to  systems  and unauthorized
    release of information.   This may be inadvertent  or intentional.
    Exploiting the flaw  requires no special  tools or knowledge.   It
    can be determined  if your system  is vulnerable by  attempting to
    exploit the vulnerability.  It is not necessary to make an attempt
    if it can be determined that  you are running one of the  affected
    releases of software on a GSR and a copy of the configuration  can
    be obtained or reverse-engineered.

    This  bug,   documented  as   CSCdm36197,  initially   appears  in
    11.2(14)GS2, the first  release of Cisco  IOS software to  support
    access lists on the GSR.  The bug is present in versions of  Cisco
    IOS  software  from  11.2(14)GS2  to  11.2(15)GS3, inclusive.  The
    earliest repaired version is 11.2(15)GS5.

Solution

    If you are  running any vulnerable  version of 11.2GS  and wish to
    resolve  this  problem  with  the  least  possible  change to your
    existing version  of software,  you should  upgrade to 11.2(15)GS5
    or later.   This bug is  not present in  any release of  12.0S, so
    upgrading to 12.0S or later will also remove the vulnerability.

    Cisco  is  offering   free  software  upgrades   to  repair   this
    vulnerability for all affected customers.  Customers with  current
    support contracts may upgrade to any software version.   Customers
    without  support  contracts  that  are running release 11.2(14)GS2
    through 11.2(15)GS3 may upgrade to 11.2(15)GS5 or any later 11.2GS
    release that has been  repaired. As always, customers  may install
    only  the  feature  sets  they  have  purchased.   Customers  with
    contracts  should  obtain  upgraded  software through their normal
    update channels. For most customers, this means that the  upgrades
    should be obtained  via the Software  Center on Cisco's  Worldwide
    Web site at

        http://www.cisco.com/

    If you need the functionality provided by the established  keyword
    for an  access-list command,  there is  no reasonable  workaround.
    Customers may  wish to  consider modifying  the policies  on other
    network components,  if possible,  to limit  exploitation of  this
    vulnerability  until  such  time  as  they have downloaded a fixed
    version of software to the affected GSR.