Cisco routers 9.17 and earlier allow remote attackers to bypass security restrictions via certain IP source routed packets that should normally be denied using the "no ip source-route" command.
Cisco routers running versions 9.17 and earlier are vulnerable to a critical security flaw allowing remote attackers to bypass the 'no ip source-route' command. This vulnerability permits attackers to inject malicious traffic, potentially leading to network compromise and data exfiltration by exploiting the router's handling of source-routed IP packets.
Step 1: Packet Crafting: The attacker crafts a malicious IP packet. This packet includes IP source routing options, specifying a route through the target network, bypassing normal routing rules.
Step 2: Packet Delivery: The attacker sends the crafted packet to the vulnerable Cisco router.
Step 3: Router Processing (Flawed): The router receives the packet. Despite the 'no ip source-route' command being enabled, the router's packet processing logic fails to correctly identify and reject the source routing options.
Step 4: Packet Forwarding: The router, due to the vulnerability, forwards the packet along the path specified in the source routing options, effectively bypassing security controls.
Step 5: Network Access: The attacker gains access to resources within the network that would normally be inaccessible, potentially leading to further exploitation and network compromise.
The vulnerability stems from a flaw in how Cisco routers prior to version 9.17 processed IP source-routed packets. The 'no ip source-route' command was intended to prevent the router from accepting packets with source routing options, thus mitigating attacks that could bypass access control lists (ACLs) and other security measures. The root cause is a failure in the packet filtering logic. Specifically, the router's implementation did not correctly validate or discard source-routed packets, allowing them to traverse the network even when the command was enabled. This likely involves a flaw in the packet processing code, where the router's internal logic fails to properly check for and reject the source routing options before forwarding the packet. This could be due to a missing check, an incorrect comparison, or a bypass mechanism within the packet handling routines. The lack of proper validation allows attackers to craft packets with specific source routing options, effectively bypassing the intended security restrictions.