Cisco IOS on Catalyst 6500 and Cisco 7600 Access Control List Bypass Vulnerability

Cisco IOS running on Catalyst 6500 and Cisco 7600 contains a vulnerability that could allow an unauthenticated, remote attacker to bypass configured ACLs.

The vulnerability exists because the affected devices accept traffic to IP addresses that are reserved for use by the Ethernet Out-of-Band Channel (EOBC). These addresses are not typically protected by ACLs, as they are not expected to be reachable outside the EOBC. An unauthenticated, remote attacker could exploit this vulnerability to bypass ACLs configured to protect exposed management addresses and send packets to intelligent modules such as the Supervisor or Multi-layer Switch Feature Card (MSFC).

Exploit code is not required to exploit this vulnerability.

Cisco has confirmed this vulnerability in a security response and released updated software.

The vulnerability affects Catalyst 6500 and Cisco 7000 devices that are running in both Hybrid Mode (CatOS on the Supervisor Engine and IOS on the MSFC) and Native Mode (IOS on both the Supervisor Engine and the MSFC). The 127.0.0.0/8 network is reserved for loopback and internal communications, as specified in RFC 3330[“http://www.faqs.org/rfcs/rfc3330.html”]. As such, traffic bound for this network is not routed over the public Internet. However, some default configurations of IOS running on Cisco Routers may allow such traffic to pass over trusted internal networks. The circumstances that would allow this are very specific and are unlikely to occur in most networks. These factors dramatically lower the pool of potential
attackers. Any attacker that bypasses ACLs using this vulnerability to access an affected device must still authenticate to perform actions such as modifying configuration files.

Multiple methods exist to effectively mitigate this vulnerability without downtime or software upgrades. Administrators of high availability environments are advised to utilize ACLs or Control Plane Policing (CoPP) to prevent unwanted traffic from reaching intelligent management cards. Administrators are still encouraged to update the software running on these devices during the next scheduled and planned outage.

This vulnerability has been resolved with the release of 12.2(33)SXH.