This vulnerability affects all versions of Cisco IOS software that
support WCCP that have been released as of the date of this notice. This
includes Cisco IOS 11.2(P) releases beginning with 11.2(10)P, 11.1CA releases
beginning with 11.1(14)CA, and 11.1 releases derived from 11.1(14)CA, including
Cisco plans to release software that supports authentication for WCCP.
This will involve a modification to the WCCP protocol. In order to take
advantage of the authentication features, customers will need to upgrade the
software in both routers and Cache Engines, and will need to make some minor
configuration changes on both devices. Release of the improved software is
tentatively scheduled for September, 1998, but this schedule is subject to
change. Cisco believes that the workaround described below will adequately
protect Cache Engine users until the new software is ready.
Cisco is considering making an interim fix involving an explicit
command to apply an access list to all incoming WCCP traffic. This would be
largely equivalent to the workaround discussed below, but might be easier for
some users to configure. No decision has been made on when or whether to offer
this interim fix. If an interim fix is created, this notice will be updated to
reflect that fact.