Vulnerability

    CISCO

Affected

    CISCO

Description

    Blue  Boar  found  following.   He  was  doing some research about
    Network  Address   Translation  (NAT)   on  a   cisco  box.    The
    configuration he  was using  when he  found this  problem was  NAT
    overload was an  inside net, 192.168.0,  and a Windows  PC sitting
    at 192.168.0.2.  The  outside interface was another  ethernet (the
    were both FastEthernet, actually.. this was a 2621).

    Blue  Boar  was  playing  with  an  FTP  client on the 192.168.0.2
    machine,  watching  the  translation  tables  with  the sho ip nat
    trans command.  He was trying to see if he could get the Cisco  to
    open  arbitrary  holes  to  other  hosts  by  sending  manual PORT
    commands.  He didn't get that to work, but he found a cute  little
    problem.

    At the  time, he  was telnetted  to the  router from  the outside,
    which is  how he  was watching  the translations  table.  From the
    inside,  he  issued  the  command  PORT  192,168,0,2,0,23  (he was
    listening  on  port  23  with  netcat).   My telnet session to the
    outside died.

    After telneting  back right  away, and  that worked.   Whenever he
    issued that PORT command, his telnet connection died.

    We have to assume  that since the NAT  config Blue Boar used  uses
    the router's own (outside) IP address that the NAT is  interfering
    with the router's own listening ports.

Solution

    Cisco have confirmed the behavior  as documented.  The section  of
    code responsible for  the behavior has  been identified and  a fix
    is in development.