Source: cve@mitre.org
Cisco IOS 9.1 and earlier does not properly handle extended IP access lists when the IP route cache is enabled and the "established" keyword is set, which could allow attackers to bypass filters.
Cisco IOS versions 9.1 and earlier are vulnerable to a filter bypass when using extended IP access lists with the 'established' keyword and IP route caching. This allows attackers to circumvent security controls and potentially gain unauthorized access to internal networks. Successful exploitation could lead to data exfiltration, system compromise, and denial-of-service conditions.
Step 1: Target Identification: The attacker identifies a Cisco IOS device running a vulnerable version (9.1 or earlier) with IP route caching enabled and extended IP access lists configured with the 'established' keyword.
Step 2: Crafting the Malicious Packet: The attacker crafts a TCP packet that would normally be blocked by the access list (e.g., a packet without the ACK or RST flag set, or a packet destined for a restricted internal resource).
Step 3: Packet Injection: The attacker sends the crafted packet to the vulnerable Cisco IOS device.
Step 4: Route Caching: Due to the vulnerability, the IOS device incorrectly caches a route for the malicious packet, bypassing the access list.
Step 5: Subsequent Traffic: The attacker sends subsequent traffic, which now uses the cached route, allowing the traffic to bypass the access list and reach its intended destination (e.g., an internal server).
The vulnerability stems from an improper interaction between the extended IP access list processing and the IP route cache in Cisco IOS. When the 'established' keyword is used, the access list is intended to filter only TCP packets with the ACK or RST flags set, indicating an established connection. The flaw lies in how the IOS handles packets that match the access list criteria when the route cache is enabled. Specifically, the system may incorrectly cache routes for packets that should have been dropped by the access list, effectively bypassing the intended filtering. This is likely due to a logic error in the packet processing code, where the access list check is not correctly applied to cached routes, or the cache is populated before the access list is fully evaluated. The root cause is a logic flaw in the interaction between the access list filtering and the route cache, leading to incorrect packet forwarding decisions. The use of the 'established' keyword creates a specific condition where the filtering logic is bypassed.
While no specific APTs are directly linked to this vulnerability due to its age and the lack of readily available exploits, any threat actor with the skills to craft packets and understand network configurations could potentially exploit it. This vulnerability is not listed on the CISA KEV catalog.
Analyze network traffic for packets that violate the configured access list rules, especially those targeting internal resources.
Monitor network logs for unusual traffic patterns, such as unexpected connections to internal servers from external sources.
Review Cisco IOS configuration for the use of the 'established' keyword in extended IP access lists and verify the route cache status.
Examine network traffic captures for packets that should have been dropped by the access lists, but were instead forwarded.
Upgrade Cisco IOS to a patched version (later than 9.1).
Review and revise IP access list configurations to ensure they accurately reflect the desired security policies.
Disable IP route caching if it is not essential for network performance.
Implement network segmentation to limit the impact of a potential breach.
Regularly audit network configurations for compliance with security best practices.
Employ an Intrusion Detection/Prevention System (IDS/IPS) to detect and block malicious traffic.