Cisco 12000 Outgoing ACL Fragmented Packet Vulnerability

Cisco IOS is the router firmware included with numerous devices manufactured by Cisco Systems.

IOS on Cisco 12000 series routers with Engine 2 based cards may fail to block intended traffic using outgoing ACLs. Outgoing ACL lists do not support the keyword 'fragment', and will ignore it. If the keyword is included in the ACL, fragmented packets will not be evaluated against the associated rules, possibly bypassing security policy.


 

Privacy Statement
Copyright 2010, SecurityFocus