_____________________________________________________
                 The Computer Incident Advisory Capability
                            ___  __ __    _     ___
                           /       |     / \   /
                           \___  __|__  /___\  \___
      _____________________________________________________

    Vulnerability in Cisco Routers used as Firewalls
 
May 12, 1993 1500 PDT                                           Number D-15
__________________________________________________________________________
PROBLEM:   Under certain circumstances, Cisco routers will pass IP source
           routed packets that should be denied.
PLATFORM:  Cisco routers -- software releases 8.2, 8.3, 9.0, 9.1, and 9.17.
DAMAGE:    Unauthorized packets may be passed.
SOLUTION:  Apply upgrade or use access lists.
__________________________________________________________________________
  
  Critical Information about vulnerability in Cisco routers

CIAC has learned that under certain circumstances Cisco routers will
pass IP source routed packets that should be denied, potentially
passing unauthorized packets.  This vulnerability affects Cisco
routers with software releases 8.2, 8.3, 9.0, 9.1, and 9.17 using the
"no IP source-route" command.  CIAC recommends that sites using Cisco
routers for firewall protection apply upgrades as indicated below.  If
you are unable to upgrade immediately, you may use access lists to deny
unauthorized packets.

This vulnerability is fixed in Cisco software releases 8.3(7.2),
9.0(5), 9.1(4), 9.17(2.1), and all later releases.  Sites using
release 8.2 need to upgrade to a later release; release 8.3 should
apply update (8); release 9.0, update (5); release 9.1, update (4);
and release 9.17, update (3).  Those customers having a maintenance
contract may obtain these releases through Cisco's Customer
Information On-Line (CIO).  Other customers may obtain them through
Cisco's Technical Assistance Center (800.553.2447 -- Internet:
tac@cisco.com) or by contacting their local Cisco distributor.
Contact Cisco's Technical Assistance Center for more information.

For additional information or assistance, please contact CIAC at
(510)422-8193/FTS or send E-mail to ciac@llnl.gov.  FAX messages to
(510)423-8002/FTS.

CIAC wishes to thank the CERT Coordination Center for the information
used in this bulletin.

Previous CIAC Bulletins and other information are available via
anonymous ftp from irbis.llnl.gov (IP address 128.115.19.60).

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Your agency's team will coordinate with CIAC.  The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization.  A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.

This document was prepared as an account of work sponsored by an
agency of the United States Government.  Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, expressed or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.