Cisco IOS 12.0, 12.1, and 12.2, when GRE IP tunneling is used and the RFC2784 compliance fixes are missing, does not verify the offset field of a GRE packet during decapsulation, which leads to an integer overflow that references data from incorrect memory locations, which allows remote attackers to inject crafted packets into the routing queue, possibly bypassing intended router ACLs.
secunia.com/advisories/21783
securityreason.com/securityalert/1526
securitytracker.com/id?1016799
www.cisco.com/en/US/tech/tk827/tk369/tsd_technology_security_response09186a008072cd7b.html
www.osvdb.org/28590
www.phenoelit.de/stuff/CiscoGRE.txt
www.securityfocus.com/archive/1/445322/100/0/threaded
www.securityfocus.com/bid/19878
www.vupen.com/english/advisories/2006/3502
exchange.xforce.ibmcloud.com/vulnerabilities/28786
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5713