More bugs have cropped up in Cisco Systems Inc.'s routing software, affecting the security of the company's 7XXX series of routers that are prevalent in large enterprises and Internet service provider networks.
Certain versions of Cisco IOS software can cause IP datagrams to be output to network interfaces even though access lists (ACL) have been applied to filter those datagrams, according to a field notice on Cisco's Web site. These vulnerabilities may permit users to obtain unauthorized access or make other attacks on customer computer systems or data, the Cisco field notice states.
The bugs apply to routers equipped with Cisco versatile interface processors (VIP) and configured for distributed fast switching (DFS). Cisco said it does not know of any incidents in which these vulnerabilities have actually been exploited by attackers.
There are two independent vulnerabilities and each vulnerability affects only a specialized subset of DFS configurations. The first is a defect in the 11.1CC and 11.1CT releases of Cisco IOS.
This bug affects all 75XX and 72XX series routers, and 70XX routers with Route-Switch Processor cards. If these routers are configured to switch traffic from an interface with DFS enabled to an interface that has not been DFS-enabled, they are susceptible to the ACL bug. DFS-to-non-DFS configurations are common to routers that contain both VIP and non-VIP interface cards.
The second bug affects 11.1, 11.2, and 11.3 versions of Cisco IOS software on the Cisco 70xx and 75xx series routers. To be vulnerable, these routers must be configured to switch traffic from an input interface with DFS enabled to a logical subinterface of a physical output port. The output interface may or may not have DFS enabled.
Subinterfaces are associated with subsets of the traffic on physical interfaces. For instance, a physical frame relay interface might have a subinterface associated with each frame relay permanent virtual circuit.
This bug causes the ACL applied to one subinterface on a physical interface to be incorrectly used for traffic destined for a different subinterface. If users use the same ACL to filter outbound traffic on all subinterfaces of any given physical interface, then they are not vulnerable.
Neither of the defects "fails reliably," Cisco says. This means the same ACLs on the same interfaces may work correctly at some times, but fail at other times. Because of this, administrators who test their ACLs may be misled that the lists are providing effective protection, when in fact they are not, the field notice states.
These vulnerabilities can be worked around by disabling DFS on network interfaces, Cisco says. Users should be aware, however, that the purpose of DFS is to transfer computational load from the router's primary CPU to the CPUs on the VIP cards. Disabling DFS may cause overload of the router's primary CPU, Cisco says.
Users may also be able to work around the first bug by enabling DFS on all interfaces. The second bug can "sometimes" be bypassed by using the same output ACL on all the subinterfaces of a physical interface, the Cisco notice states.
Another possible workaround is for users to redesign ACLs to avoid the need for output access lists on affected interfaces, Cisco says.
Cisco is also offering free software updates to correct these defects for all vulnerable customers, regardless of software maintenance contract status.
This is at least the third major bug that has cropped up in Cisco IOS router software. Last summer, a bug allowed attackers to crash remote routers. And last month, a defect allowed users to gain access to network passwords.