Cisco Access List Vulnerability

This vulnerability can be avoided by either rewriting the extended
access list to not use the "established" keyword, or by configuring
the interface to not use the IP route cache. To disable the IP route
cache, use the configuration command "no ip route-cache".

Example for a serial interface:

router#configure terminal

Enter configuration commands, one per line.
Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z
interface serial 0
no ip route-cache
router#write memoryThis vulnerability is fixed in Cisco software releases 8.3 (update 5.10),
9.0 (update 2.5), 9.1 (update 1.1) and in all later releases. Customers
who are using software release 8.2 and do not want to upgrade to a later
release should contact Cisco's Technical Assistance Center (TAC) at
800-553-2447 (Internet: for more information.

The following interim releases are available via anonymous FTP from (

Note: this FTP server will not allow filenames to be listed or matched
with wildcards. You also cannot request the file by its full pathname.
You must first cd to the desired directory (beta83_dir, beta90_dir, or
beta91_dir) and then request the file desired (gs3-bfx.83-5.10, etc.).

Release (Update) Filename Size Checksum
8.3 (5.10) /beta83_dir/gs3-bfx.83-5.10 1234696 02465 1206
9.0 (2.5) /beta90_dir/gs3-bfx.90-2.5 1705364 47092 1666
9.1 (1.1) /beta91_dir/gs3-k.91-1.1 2005548 59407 1959


Privacy Statement
Copyright 2010, SecurityFocus