Cisco IOS Software Input Access List Leakage with NAT - Cisco Systems

This script is (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

The remote device is missing a vendor-supplied security patch

Description :

A group of related software bugs (bug IDs given under "Software
Versions and Fixes") create an undesired interaction between network
address translation (NAT) and input access list processing in certain
Cisco routers running 12.0-based versions of Cisco IOS software
(including 12.0, 12.0S, and 12.0T, in all versions up to, but not
including, 12.0(4), 12(4)S, and 12.0(4)T, as well as other 12.0
releases). Non-12.0 releases are not affected.
This may cause input access list filters to "leak" packets in certain
NAT configurations, creating a security exposure. Configurations
without NAT are not affected.
The failure does not happen at all times, and is less likely under
laboratory conditions than in installed networks. This may cause
administrators to believe that filtering is working when it is not.
Software fixes are being created for this vulnerability, but are not
yet available for all software versions (see the section on "Software
Versions and Fixes"). This notice is being released before fixed
software is universally available in order to enable affected Cisco
customers to take immediate steps to protect themselves against this
vulnerability.

See also :

http://www.nessus.org/u?daf3883e
http://www.nessus.org/u?48c1d7b8

Solution :

Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-19990414-ios-nat-acl.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 5.0
(CVSS2#E:H/RL:U/RC:ND)

Family: CISCO

Nessus Plugin ID: 48947 (cisco-sa-19990414-ios-nat-aclhttp.nasl)

Bugtraq ID: 706

CVE ID: CVE-1999-0445