Privacy and Legal Notice

CIAC INFORMATION BULLETIN

D-15: Vulnerability in Cisco Routers used as Firewalls

May 12, 1993 1500 PDT 
PROBLEM:   Under certain circumstances, Cisco routers will pass IP source
           routed packets that should be denied.
PLATFORM:  Cisco routers -- software releases 8.2, 8.3, 9.0, 9.1, and 9.17.
DAMAGE:    Unauthorized packets may be passed.
SOLUTION:  Apply upgrade or use access lists.
__________________________________________________________________________
	
	Critical Information about vulnerability in Cisco routers

CIAC has learned that under certain circumstances Cisco routers will
pass IP source routed packets that should be denied, potentially
passing unauthorized packets.  This vulnerability affects Cisco
routers with software releases 8.2, 8.3, 9.0, 9.1, and 9.17 using the
"no IP source-route" command.  CIAC recommends that sites using Cisco
routers for firewall protection apply upgrades as indicated below.  If
you are unable to upgrade immediately, you may use access lists to deny
unauthorized packets.

This vulnerability is fixed in Cisco software releases 8.3(7.2),
9.0(5), 9.1(4), 9.17(2.1), and all later releases.  Sites using
release 8.2 need to upgrade to a later release; release 8.3 should
apply update (8); release 9.0, update (5); release 9.1, update (4);
and release 9.17, update (3).  Those customers having a maintenance
contract may obtain these releases through Cisco's Customer
Information On-Line (CIO).  Other customers may obtain them through
Cisco's Technical Assistance Center (800.553.2447 -- Internet:
tac@cisco.com) or by contacting their local Cisco distributor.
Contact Cisco's Technical Assistance Center for more information.

For additional information or assistance, please contact CIAC at
(510)422-8193/FTS or send E-mail to ciac@llnl.gov.  FAX messages to
(510)423-8002/FTS.

CIAC wishes to thank the CERT Coordination Center for the information
used in this bulletin.

Previous CIAC Bulletins and other information are available via
anonymous ftp from irbis.llnl.gov (IP address 128.115.19.60).

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Your agency's team will coordinate with CIAC.  The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization.  A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.
DOE-CIRC can be contacted at: 
    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/