• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

error in Cisco's IOS software 10.3
CI-95.02
Published: 1995-07-31 00:00:00
Updated: 1995-07-31 00:00:00

                                                                

Cisco Security Advisory

Mon Jul 31 16:24:28 1995 


The following describes an error in Cisco's IOS software 10.3 release when the 'tacacs-ds' or 'tacacs'
keyword is used in extended IP access control lists. This bug can cause an extended IP access control
list to be misparsed, possibly allowing unauthorized packets to circumvent a filtering router. This
vulnerability is present in the following IOS software versions: 

10.3(3.4) through 10.3(4.2) 

If you are running any of these IOS versions on a product that uses IP extended access lists, and you
are using the 'tacacs-ds' or 'tacacs' keyword in these lists, then Cisco strongly recommends that you
review your access lists to insure that they have been parsed correctly. You can determine what version
of IOS you are running by issuing the following command: 


        show version

If your access list has been parsed incorrectly, the recommended action is to upgrade to a more recent
version of IOS or perform the workaround described below. The bug is fixed by in the following official
software releases: 

10.3(4.3) or later 

(For reference, the Cisco update identifier for this fix is "CSCdi36962".) 

Customers may obtain software upgrades without going through the Cisco's Technical Assistance
Center via Cisco's Customer Information On-Line service, instructions for downloading are available at
the end of this message. 

You may also contact your Cisco distributor or contact Cisco's Technical Assistance Center (TAC) for
more information. TAC can be reached by phone at (800) 553-2447, by E-Mail to tac@cisco.com or
via the World-Wide-Web at http://www.cisco.com. In Europe you can contact TAC by phone at
32-2-778-42-42 or via E-Mail to euro-tac@cisco.com. 



A) Description

     A bug in certain versions of IOS can cause extended IP access lists to be parsed incorrectly.
     Under some circumstances, this may allow packets to bypass IP packet filtering. This may permit
     unintended IP traffic to pass through a filtering router. 

     IP extended access lists between versions 10.3(1) through 10.3(3.3) used the keyword
     'tacacs-ds'. This keyword could be saved as part of the router configuration either in non-volatile
     memory on the router or on an external TFTP server. 

     Configuration files written by these versions which are read by versions 10.3(3.4) through
     10.3(4.2) will not have the 'tacacs-ds' keyword parsed correctly. The result will be that the entire
     line in the access list will be ignored. An error message will be generated when this occurs. Loss
     of such a line from the access list may create a vulnerability if the access list is used as part of a
     packet filter. 

     To determine if you are vulnerable, examine your current configuration and compare it to your
     intended configuration. 

     If the access lists in your current configuration and your intended configuration do not use the
     keyword 'tacacs-ds', you are not vulnerable. You do not need to do anything. 

     If your current configuration contains the keyword 'tacacs-ds', you should NOT upgrade that
     router to any version of IOS between 10.3(3.4) and 10.3(4.2). You are not currently vulnerable. 

     If your intended configuration contains the keywords 'tacacs-ds', 'tacacs', or filters on TCP or
     UDP port 49, and your current configuration does NOT contain this line of the access list, you
     are currently vulnerable. You should perform the workaround described below. 

B) Workaround

     The following actions will remove the vulnerability: 

          Delete the access list and re-enter it based upon your intended configuration. Do not enter
          the 'tacacs-ds' keyword. Use the keyword 'tacacs' instead. 

C) Solution

     Obtain and install the appropriate release of IOS software as described above. For assistance
     contact Cisco's TAC. 



Software upgrades may be obtained via any of the following mechanisms: 

A) World Wide Web (WWW):

     For registered CCO users please open a URL to: 

          http://www.cisco.com/public/sw-center/ 

     and select the the version of software to download. 

     For non-registered users open a URL to: 

          http://www.cisco.com/public/library/spc_req.shtml 

     When prompted for a code, please enter: 

          certjuly31 

     for a list of available files to download. 

B) FTP:

     ftp cco.cisco.com and at the initial (username) prompt, enter: 

          certjuly31 

     At the password prompt, enter your e-mail address. Then: 

          get README.certjuly31 

     This file contains a list of files available that close this vulnerability. Please examine this list to
     determine which files you need and then download them. 

C) Character-based "CCO Classic":

     For access, the following connection options are offered: 

          telnet cco.cisco.com 

          Dial-up modem 
               In Europe +33 1 64 46 40 82 
               In the US (408) 526 8070 
                    vt100, N81, up to 14.4Kbps 

          Enter either as a guest or registered user and navigate to the topic: 

                    Software Updates 
                    Special Files 

          At the prompt for a code, please enter: 

               certjuly31 

          A list of files will be displayed for you to select and download. 


Posted: Aug 3 16:48:28 1995 

Copyright 1996 © Cisco Systems Inc.