Cisco IOS 9.1 and earlier does not properly handle extended IP access lists when the IP route cache is enabled and the "established" keyword is set, which could allow attackers to bypass filters.
Cisco IOS versions 9.1 and earlier are vulnerable to an access list bypass when the IP route cache is enabled and the 'established' keyword is used. This allows attackers to circumvent network security filters, potentially gaining unauthorized access to internal resources and sensitive data. This vulnerability could lead to complete network compromise.
Step 1: Target Identification: The attacker identifies a Cisco IOS device running a vulnerable version (9.1 or earlier) with the IP route cache enabled and extended access lists configured with the 'established' keyword.
Step 2: Crafting the Malicious Packet: The attacker crafts a TCP packet that would normally be blocked by the access list (e.g., a packet initiating a new connection from an untrusted source). The attacker may attempt to guess or infer the internal network topology.
Step 3: Packet Injection: The attacker sends the crafted packet to the vulnerable Cisco IOS device.
Step 4: Route Cache Lookup: The Cisco IOS device checks its route cache for a matching route for the packet's destination.
Step 5: Bypass Condition: If a matching route exists in the cache, the access list check is bypassed due to the flawed implementation.
Step 6: Packet Forwarding: The packet is forwarded to its destination, even though it should have been blocked by the access list.
Step 7: Exploitation: The attacker leverages the now-unfiltered access to the internal network to perform reconnaissance, lateral movement, or data exfiltration.
The vulnerability stems from a flaw in how Cisco IOS handles extended IP access lists in conjunction with the IP route cache and the 'established' keyword. Specifically, the IOS fails to correctly evaluate the 'established' keyword when the route cache is active. The route cache is designed to speed up packet forwarding by storing routing information. When a packet matches a cached route, the system bypasses the access list checks. The 'established' keyword is meant to filter traffic based on the TCP connection state (e.g., only allowing established connections). However, the flawed implementation allows packets that should be blocked by the access list to be forwarded if they match a cached route, effectively bypassing the intended security controls. This is not a buffer overflow or memory corruption issue, but a logic flaw in the packet filtering process. The root cause is a failure to properly integrate the access list filtering logic with the route cache lookup process, leading to a bypass condition.