Vulnerability in Cisco routers versions 8.2 through 9.1 allows remote attackers to bypass access control lists when extended IP access lists are used on certain interfaces, the IP route cache is enabled, and the access list uses the "established" keyword.
Cisco routers running versions 8.2 through 9.1 are vulnerable to a critical access control bypass. This allows remote attackers to circumvent security measures and potentially gain unauthorized access to internal networks by exploiting a flaw in how the router handles extended IP access lists with the 'established' keyword when the IP route cache is enabled, leading to unauthorized network access.
Step 1: Target Identification: The attacker identifies a Cisco router within the vulnerable version range (8.2-9.1) with extended IP access lists and the IP route cache enabled.
Step 2: Connection Establishment: The attacker initiates a TCP connection to a service on the targeted router that is protected by an access list using the 'established' keyword.
Step 3: Initial Packet Filtering: The router evaluates the initial SYN packet against the access list. If the access list allows established connections, the SYN packet is permitted.
Step 4: Route Cache Population: The router caches the route information for the established connection to optimize performance.
Step 5: Malicious Payload Delivery: The attacker sends malicious packets that should be blocked by the access list (e.g., packets from a source IP not permitted by the access list). These packets are crafted to exploit the vulnerability.
Step 6: Access List Bypass: Due to the flaw, the router may use the cached route information for subsequent packets of the established connection, bypassing the access list checks for the malicious packets.
Step 7: Unauthorized Access: The attacker gains unauthorized access to the internal network or service, as the malicious packets are allowed to pass through the router.
The vulnerability stems from a logic flaw in the interaction between the IP route cache and the processing of extended IP access lists containing the 'established' keyword. When a TCP connection is established, the router is supposed to permit traffic based on the access list rules. However, the route cache, designed for performance optimization, can sometimes bypass the access list checks for established connections. The 'established' keyword in the access list is intended to filter traffic based on the state of the TCP connection. The flaw lies in the router's failure to consistently re-evaluate the access list rules against the cached route information, allowing traffic that should be blocked to pass through. This is a stateful firewall issue where the state is not correctly maintained, leading to a privilege escalation scenario. The root cause is a race condition between the route cache lookup and the access list evaluation, combined with an incomplete state check.