Cisco IOS and Cisco IOS XE Software Zone-Based Firewall Feature Bypass Vulnerability

A vulnerability in the Zone-Based Firewall feature of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to pass traffic that should otherwise have been dropped based on the configuration.

The vulnerability is due to a logic flaw in a corner case scenario. An attacker could exploit this vulnerability by sending traffic that would have been dropped by the policy.

In a Zone-Based Firewall setup, if only one zone pair is defined in the egress direction but there is no reverse zone pair defined in the opposite direction, return traffic should be dropped instead of allowed for traffic subject to the egress action of pass.

There are workarounds that address this vulnerability.

This advisory is available at the following link:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-ios-zbf[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-ios-zbf”]