Summary

• A group of related software bugs (bug IDs given under "Software Versions and Fixes") create an undesired interaction between network address translation (NAT) and input access list processing in certain Cisco routers running 12.0-based versions of Cisco IOS software (including 12.0, 12.0S, and 12.0T, in all versions up to, but not including, 12.0(4), 12(4)S, and 12.0(4)T, as well as other 12.0 releases). Non-12.0 releases are not affected.

  This may cause input access list filters to "leak" packets in certain NAT configurations, creating a security exposure. Configurations without NAT are not affected.

  The failure does not happen at all times, and is less likely under laboratory conditions than in installed networks. This may cause administrators to believe that filtering is working when it is not.

  Software fixes are being created for this vulnerability, but are not yet available for all software versions (see the section on "Software Versions and Fixes"). This notice is being released before fixed software is universally available in order to enable affected Cisco customers to take immediate steps to protect themselves against this vulnerability.

  This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19990414-ios-nat-acl.

Affected Products

• This section provides details on affected products.

  Vulnerable Products

  If you are using input access lists in conjunction with NAT on an interface of a Cisco IOS router running any 12.0-based version of Cisco IOS software earlier than the fixed versions listed in the table under "Software Versions and Fixes", then you are affected by this vulnerability. Non-12.0 releases are not affected.

  Both input access lists and NAT must be in use on the same router interface in order for this vulnerability to manifest itself. If your configuration file does not contain the command ip access-group <acl> in on the same interface with ip nat inside or ip nat outside, then you are not affected. The majority of routers are not configured to use NAT, and are therefore not affected. NAT routers are most commonly found at Internet boundaries.

  Cisco devices that run Cisco IOS software, and are affected by this vulnerability, include the following:

  • Cisco routers in the 17xx family are affected.
    
  • Cisco routers in the 26xx family are affected.
    
  • Cisco routers in the 36xx family are affected.
    
  • Cisco routers in the AS58xx family (not the AS52xx or AS53xx) are affected.
    
  • Cisco routers in the 72xx family (including the ubr72xx) are affected.
    
  • Cisco routers in the RSP70xx family (not non-RSP 70xx routers) are affected.
    
  • Cisco routers in the 75xx family are affected.
    
  • The Catalyst 5xxx Route-Switch Module (RSM) is affected. The Catalyst 5xxx switch supervisors themselves are not affected; only the optional RSM module is involved.
    

  Cisco devices which run Cisco IOS software, but are not affected by this vulnerability, include the following:

  • Cisco routers in the 8xx family are not affected.
    
  • Cisco routers in the ubr9xx family are not affected.
    
  • Cisco routers in the 10xx family are not affected.
    
  • Cisco routers in the 14xx family are not affected.
    
  • Cisco routers in the 16xx family are not affected.
    
  • Cisco routers in the 25xx family are not affected.
    
  • Cisco routers in the 30xx family are not affected (and do not run 12.0 software).
    
  • Cisco routers in the mc38xx family are not affected.
    
  • Cisco routers in the 40xx family are not affected.
    
  • Cisco routers in the 45xx family are not affected.
    
  • Cisco routers in the 47xx family are not affected.
    
  • Cisco routers in the AS52xx family are not affected
    
  • Cisco routers in the AS53xx family are not affected.
    
  • Catalyst 85xx Switch Routers are not affected (and do not support NAT).
    
  • GSR12xxx Gigabit Switch Routers are not affected (and do not support NAT).
    
  • Cisco 64xx universal access concentrators are not affected.
    
  • Cisco AGS/MGS/CGS/AGS+ and IGS routers are not affected (and do not run 12.0 software).
    
  • LS1010 ATM switches are not affected.
    
  • Catalyst 2900XL LAN switches are not affected.
    
  • The Cisco DistributedDirector is not affected.
    

  If you are unsure whether your device is running classic Cisco IOS software, log into the device and issue the command show version. Cisco IOS software will identify itself simply as "IOS" or "Internetwork Operating System Software". Other Cisco devices either will not have the show version command, or will give different output.

  Products Confirmed Not Vulnerable

  If you are not running Cisco IOS software, then you are not affected by this vulnerability. Cisco devices which do not run Cisco IOS software, and are not affected by this vulnerability, include the following:

  • 7xx dialup routers (750, 760, and 770 series) are not affected.
    
  • Catalyst 19xx, 28xx, 29xx, 3xxx, and 5xxx LAN switches are not affected.
    
  • WAN switching products in the IGX and BPX lines are not affected.
    
  • The MGX (formerly known as the AXIS shelf) is not affected.
    
  • No host-based software is affected.
    
  • The Cisco PIX Firewall is not affected.
    
  • The Cisco LocalDirector is not affected.
    
  • The Cisco Cache Engine is not affected.
    

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• This vulnerability is created by bugs in interface hardware drivers. These bugs affect the drivers for all interface types on affected platforms. The majority of these driver bugs are grouped under Cisco bug ID CSCdk79747. Additional bugs IDs include CSCdm22569 (miscellaneous additional drivers), and CSCdm22299 (Cisco 1400 and 1700 platforms; of these two, only the 1700 actually suffers packet leakage).

  A related bugs is CSCdm22451, which describes a problem with the original fix for CSCdk79747.

  All four of these bugs are, or will be, fixed in the software releases listed in the table below.

Workarounds

• This vulnerability may be worked around by changing the configuration to avoid using input access lists, by removing NAT from the configuration, or by separating NAT and filtering functions into different network devices or onto different interfaces. Each of these changes has significant installation-dependent complexity, and must be planned and executed with a full understanding of the implications of the change.

  If the configuration of a router is changed to eliminate NAT, or to change the interfaces on which NAT is applied, as a means of avoiding this vulnerability, the router must be reloaded before the change will have the desired effect.

Fixed Software

• Many Cisco software images have been or will be specially reissued to correct this vulnerability. For example, regular released version 12.0(3) is vulnerable, as are interim versions 12.0(3.1) through 12.0(3.7) The first fixed version of 12.0 mainline software is 12.0(4). However, a special release, 12.0(3b), contains only the security vulnerability fixes, and does not include any of the other bug fixes from later 12.0 interim releases.

  If you were running 12.0(3), and wanted to upgrade to fix this problem, without taking the risk of instability presented by the new functionality and additional bug fixes in the 12.0(4) release, you could upgrade to 12.0(3b). 12.0(3b) represents a "code branch" from the 12.0(3) base, which merges back into the 12.0 mainline at 12.0(4).

  In every case, these special releases are one-time spot fixes, and will not be maintained. The upgrade path from, say, 12.0(3b), is to 12.0(4).

  Note that fixes are not yet available for some affected releases. Cisco is releasing this notice before the general release of fixed software because of the possibility that this vulnerability may be exploited in the interim. All fix dates in the table are estimates and are subject to change.

  Cisco IOS Major Release	Description	Special spot fix release; most stable immediate upgrade path (see above)	Projected first fixed regular or interim** release (fix will carry forward into all later versions)	Projected first fixed regular maintenance release (or other long term upgrade path)
  Unaffected releases
  11.3 and earlier, all variants	Unaffected early releases	Unaffected	Unaffected	Unaffected
  12.0-based releases
  12.0	12.0 mainline	12.0(3b)	12.0(4), April 19, 1999*	12.0(4), April 19, 1999*
  12.0S	ISP support: 7200, RSP, GSR12000. In field test.	-	12.0(4)S (treated as interim** and released to field testers on request only)	12.0(5)S June 21, 1999*
  12.0T	12.0 new technology early deployment	12.0(3)T2, April 14, 1999*	12.0(4)T, April 26, 1999*	12.0(4)T, April 26, 1999*
  12.0DB	12.0 for Cisco 6400 universal access concentrator node switch processor (lab use)	-	-	Unaffected; not supported on affected platforms.
  12.0(1)W5(x)	12.0 for Catalyst 8500 and LS1010	-	-	Unaffected; not supported on affected platforms
  12.0(0.6)W5	One-time early deployment for CH-OC12 module in Catalyst 8500 series switches	-	-	Unaffected; not supported on affected platforms
  12.0(1)XA3	Short-life release; merged to 12.0T at 12.0(2)T.	-	Merged	Upgrade to 12.0(3)T2 or 12.0(4)T
  12.0(1)XB	Short-life release for Cisco 800 series; merged to 12.0T at 12.0(3)T.	Unaffected	Merged	Unaffected; not supported on affected platforms. Regular upgrade path is via 12.0(4)T.
  12.0(2)XC	Short-life release for new features in Cisco 2600, Cisco 3600, ubr7200, ubr900 series; merged to 12.0T at 12.0(3)T.	-	Merged	Upgrade to 12.0(3)T2 or 12.0(4)T
  12.0(2)XD	Short-life release for ISDN voice features; merged to 12.0T at 12.0(3)T.	-	Merged	Upgrade to 12.0(3)T2 or 12.0(4)T
  12.0(x)XE	Short-life release for selected entreprise features; merged to 12.0T at 12.0(3)T.	12.0(2)XE3, April 13, 1999*	Merged	Upgrade to 12.0(3)T2 or 12.0(4)T.
  12.0(2)XF	Short-life spot release of 12.0 for the Catalyst 2900XL LAN switch; merged to 12.0T at 12.0(4)T.	Unaffected	Merged	Unaffected; not supported on affected platforms. Regular upgrade path is via 12.0(4)T.
  12.0(2)XG	Short-life release for voice modules and features; merged to 12.0T at 12.0(4)T.	-	Merged	Upgrade to 12.0(4)T

  * All dates are tentative and subject to change

  ** Interim releases are subjected to less internal testing and verification than are regular releases, may have serious bugs, and should be installed with great care.

Exploitation and Public Announcements

• Cisco knows of no public announcements or discussion of this vulnerability before the date of this notice. Cisco has had no reports of malicious exploitation of this vulnerability. However, the nature of this vulnerability is such that it may create security exposures without knowingly being "exploited" as the term is usually used with respect to security vulnerabilities.

  This vulnerability was reported to Cisco by several customers who found it during in-service testing.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19990414-ios-nat-acl

Revision History

• Revision 1.3

  1999-April-14

  Initial public release.

  Show Less