lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 14 May 2003 14:52:44 -0000
From: Olivier <itsce.networkservices@...ntl.ch>
To: bugtraq@...urityfocus.com
Subject: Cisco ACL bug when using VPN crypto engine accelerator, PPPoE
    dialer or ip route-cache




Platform Cisco 1760 dual Ethernet 

IOS 12.2.xT IP/ADSL/FW/IDS PLUS IPSEC 3DES

Environment: Site to site VPN for small offices.

 

ACL are not properly parsed as soon as you enable:

crypto engine accelerator 
PPPoE dialer 
Ip route-cache 
 

Without the feature mentioned above, you can apply an ACL on the outside 
interface allowing only inbound ISAKMP and IPSEC traffic.

I.E. 

ip access-list extended Block-Inbound-unwanted-Trafic

 permit udp 100.100.100.0 0.0.0.255 host 102.168.1.2 eq isakmp

 permit esp 100.100. 100.0 0.0.0.255 host 102.168.1.2

 deny   ip any any log



If you activate the crypto engine, the ACL is parsed as well on decrypted 
traffic which forces you to allow as well all traffic for the decrypted 
traffic.
I.E. If you are using 10.x addressees internally and the subnet 
10.200.0.0/24 for your Soho LAN. Can be worst if you have a huge network 
inside where you would prefer to add permit ip  any 10.200.0.0 0.0.0.255.
 

ip access-list extended Block-Inbound-unwanted-Trafic
 permit udp 100.100.100.0 0.0.0.255 host 102.168.1.2 eq isakmp
 permit esp 100.100. 100.0 0.0.0.255 host 102.168.1.2
 permit ip  10.0.0.0 0.255.255.255 10.200.0.0 0.0.0.255  <-----------@...%@
 deny   ip any any log


This looks pretty bad for a VPN box running a Firewall feature set IOS 
seen as the best candidate for VPN for small offices.

The worst is the reply from Cisco:
-------------------------------------------------------------------
We will be addressing this in the next few months however
the release time frame could be as late as the end
of the year.
 
We do have plans to address it but do
not expect it in a released image until the
last calendar quarter of the year. If its possible we
can get it done and released sooner than what I've
mentioned, we will do it, no guarantees however.
------------------------------------------------------------------- 

We would have hope that they put more resources and concern in solving 
security issue.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ