**************************************************************************
Security Bulletin 9524                 DISA Defense Communications System
June 6, 1995             Published by: DDN Security Coordination Center
                                      (SCC@NIC.DDN.MIL)   1-(800) 365-3642
 
                        DEFENSE  DATA  NETWORK
                          SECURITY  BULLETIN
 
  The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security
  Coordination Center) under DISA contract as a means of communicating
  information on network and host security exposures, fixes, and concerns
  to security and management personnel at DDN facilities.  Back issues may
  be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5]
  using login="anonymous" and password="guest".  The bulletin pathname is
  scc/ddn-security-yynn (where "yy" is the year the bulletin is issued
  and "nn" is a bulletin number, e.g. scc/ddn-security-9428).
**************************************************************************
 
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
!                                                                       !
!     The following important  advisory was  issued by the Automated    !
!     Systems Security Incident Support Team (ASSIST) and is being      !
!     relayed unedited via the Defense Information Systems Agency's     !
!     Security Coordination Center  distribution  system  as a  means   !
!     of providing  DDN subscribers with useful security information.   !
!                                                                       !
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    
          Automated Systems Security Incident Support Team
                                                _____
             ___   ___  _____   ___  _____     |     /
      /\    /   \ /   \   |    /   \   |       |    / Integritas
     /  \   \___  \___    |    \___    |       |   <      et
    /____\      \     \   |        \   |       |    \ Celeritas
   /      \ \___/ \___/ __|__  \___/   |       |_____\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  
    
                       Bulletin  95-22
 
       Release date: 6 June, 1995, 11:15 AM EDT (GMT -4)

SUBJECT: Vulnerability in Cisco's IOS software.

SUMMARY: Some versions of Cisco's IOS software contain a 
vulnerability when the 'established' keyword is used in extended 
IP access control lists.  The vulnerability could allow a user to
bypass IP packet filtering.  The Cisco update identifier for this 
fix is CSCdi34061.

BACKGROUND: The following IOS versions are affected:
 
        10.3(1) through 10.3(2)
        10.2(1) through 10.2(5)
        10.0(1) through 10.0(9)
 
and all versions of Cisco software previous to 10.0.  You can 
determine what version of IOS you are running by issuing the 
following command:
   show version 

To determine if your IOS configuration is vulnerable issue the
following command to display configuration parameters: 
   write term

If you see an access list line using a list number in the range of 
100 through 199 that permits or denies TCP traffic and contains the 
word 'established' near the end of the line, you may be vulnerable.  
An example line might look like:
   (In IOS 10.3)
   access-list 100 permit tcp any any established

   (In IOS 10.2 or earlier)
   access-list 100 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0
   255.255.255.255 established
                                                
   If you do not meet this test, then you are not vulnerable and no
   further action is required.

The vulnerability is fixed in the following official Cisco software 
releases:

        10.0(10) or later
        10.2(6)  or later
        10.3(3)  or later

IMPACT: This bug can, under very specific circumstances and only 
with certain IP host implementations, allow unauthorized packets to
circumvent a filtering router.

RECOMMENDED SOLUTIONS: Determine whether or not Cisco systems at
your site are vulnerable and take action to correct the problem on
all systems that are vulnerable. 

Customers may obtain software upgrades without going through the
Cisco's Technical Assistance Center via Cisco's Customer Information 
On-Line service.  Instructions for downloading information from Cisco
are included later in this message.  You may also contact your Cisco 
distributor or contact Cisco's Technical Assistance Center (TAC) for 
more information.  TAC can be reached by phone at 800-553-2447, by 
E-Mail to tac@cisco.com or via the World-Wide-Web at 
http://www.cisco.com.  In Europe you can contact TAC by phone at 
32-2-778-42-42 or via E-Mail to euro-tac@cisco.com.

Temporary Workaround
   The following actions will remove the vulnerability:
   Rewrite the access list parameters so the 'established' keyword 
   is not necessary.  This does not simply mean that you may remove
   the 'established' keyword, but rather that you will need to
   re-design your access lists to provide similar functionality 
   without using the established mechanism.
      or
   Disable the interfaces to which the access list is applied
   using the 'shutdown' interface subcommand:
   (example)
   router(config)#interface ethernet 0
   router(config-if)#shutdown

Permanent Fix
   Obtain and install the appropriate updated release of IOS 
   software that has the problem fixed (see BACKGROUND section
   above).  For assistance contact Cisco's TAC.

Technical Comments
   This problem is caused by an obscure but common design flaw that
   may exist in other vendor's router/firewall packet filtering
   implementations.  Owners of non-Cisco hardware who use IP packet
   filtering features similar to Cisco's "extended access lists" as 
   part of a firewall system may wish to contact their vendor to 
   confirm that this vulnerability does not exist in their system.
   This vulnerability can only be exploited with certain IP host
   implementations (the Cisco Security Bulletin on this topic did 
   not have information on which implementations are susceptible).  

Obtaining Cisco software upgrades.
A. World Wide Web (WWW):
   Registered CIO users can open a URL to:
   http://cio.cisco.com/kobayashi/Library_root.shtml
   and select the the version of software to download.

   Non-registered users can open a URL to:
   http://cio.cisco.com/public/library/spc_req.shtml
   When prompted for a code, enter:
   certjun2
   for a list of available files to download.
     
B. FTP:
   ftp cio.cisco.com and at the initial (username) prompt, enter:
   certjun2
   At the password prompt, enter your e-mail address, then:
   get README.certjun2
   This file contains a list of files available that close this
   vulnerability. 

C. Character-based "CIO Classic":
   For access, the following connection options are offered:
   telnet cio.cisco.com 
   o Dial-up modem
      + In Europe +33 1 64 46 40 82
      + In the US (408) 526 8070
      + vt100, N81, up to 14.4Kbps
   Enter either as a guest or registered user and navigate to the
   topic:
      Software Updates 
      Special Files
   At the prompt for a code, please enter:
   certjun2
   A list of files will be displayed for you to select and 
   download.

ASSIST would like to thank the Cisco Corporation for information
contained in this bulletin. 

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

ASSIST is an element of the Defense Information Systems Agency 
(DISA), Center for Information Systems Security (CISS), that 
provides service to the entire DoD community. Constituents 
of the DoD with questions about ASSIST or computer security 
security issues, can contact ASSIST using one of the methods
listed below.  Non-DoD organizations/institutions, contact
the Forum of Incident Response and Security Teams (FIRST)
(FIRST) representative.  To obtain a list of FIRST member
organizations and their constituencies send an email to
docserver@first.org with an empty "subject" line and a message body
containing the line "send first-contacts".

ASSIST Information Resources: To be included in the distribution
list for the ASSIST bulletins, send your Milnet (Internet) e-mail
address to assist-request@assist.mil.  Back issues of ASSIST 
bulletins, and other security related information, are available
from the ASSIST BBS at 703-607-4710, DSN 327-4710 and through 
anonymous FTP from assist.mil (IP address 199.211.123.11).  Note: 
assist.mil will only accept anonymous FTP connections from Milnet 
addresses that are registered with the NIC or DNS.  If your system 
is not registered, you must provide your MILNET IP address to 
ASSIST before access can be provided.
 
ASSIST Contact Information: 
PHONE: 800-357-4231 (or 703-756-7974 DSN 289), duty hours are 06:00
to 22:30 EDT (GMT -4) Monday through Friday.  During off duty hours, 
weekends and holidays, ASSIST can be reached via pager at 800-791-
4857.  The page will be answered within 30 minutes, however if a 
quicker response is required, prefix the phone number with "999".
ELECTRONIC MAIL: Send to assist@assist.mil. 
ASSIST BBS: Leave a message for the "sysop". 

Reference herein to any specific commercial product, process, or
service by trade name, trademark manufacturer, or otherwise, does
not constitute or imply its endorsement, recommendation, or
favoring by ASSIST.  The views and opinions of authors expressed
herein shall not be used for advertising or product endorsement
purposes. 

****************************************************************************
*                                                                          *
*    The point of contact for MILNET security-related incidents is the     *
*    Security Coordination Center (SCC).                                   *
*                                                                          *
*               E-mail address: SCC@NIC.DDN.MIL                            *
*                                                                          *
*               Telephone: 1-(800)-365-3642                                *
*                                                                          *
*    NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST,   *
*    Monday through Friday except on federal holidays.                     *
*                                                                          *
****************************************************************************

PLEASE NOTE: Some users outside of the DOD computing communities may receive
DDN Security bulletins.  If you are not part of  the DOD community, please
contact your agency's incident response team to report incidents.  Your 
agency's team will coordinate with DOD.  The Forum of Incident Response and
Security Teams (FIRST) is a world-wide organization.  A list of FIRST member
organizations and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an service to the DOD community.  Neither the 
United States Government nor any of their employees, makes any warranty, 
expressed or implied, or assumes any legal liability or responsibility for 
the accuracy, completeness, or usefulness of any information, product, or 
process disclosed, or represents that its use would not infringe privately 
owned rights.  Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not 
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government.  The opinions of the authors expressed herein
do not necessarily state or reflect those of the United States Government,
and shall not be used for advertising or product endorsement purposes.