Check or Attack Name: CiscoACL Established

The host may allow unauthorized packets to circumvent a filtering router. Devices using IOS v10.3 and below and the 'established' keyword in extended IP access control lists can result in unauthorized network traffic.

An attacker could take advantage of the network access to gain information or acquire further unauthorized access to machines.

IOS users should upgrade to 10.0(10), 10.2(6), 10.3(3), or the latest supported version for the device. As with any software upgrade, you should verify that your hardware can support the new software before upgrading.

Temporary Fix: Rewrite the access list parameters so the established keyword is not necessary. Do not remove the established keyword; instead, re-design your access lists to provide similar functionality without using the established mechanism.

Or, disable the interfaces applied the access list by using the shutdown interface subcommand.

Patches: Registered CCO users can obtain software at http://www.cisco.com/public/sw-center/ and select the version of software to download. Non-registered users can obtain patches at http://www.cisco.com/public/library/spc_req.shtml. When prompted for a code, please enter the special access code you are given by your Cisco Technical Assistance Center support representative for a list of available files to download. For codes and assistance contact Cisco's TAC at tac@cisco.com.

Cisco Systems Software & Support, Software Center, http://www.cisco.com/public/sw-center/

Cisco Systems Software & Support, Special Access Code for Software, http://www.cisco.com/public/library/spc_req.shtml

CERT Advisory CA-92.20, Cisco Access List Vulnerability, http://www.cert.org/advisories/CA-92.20.Cisco.Access.List.vulnerability.html