Guest

Preview Tool

Cisco Bug: CSCup30133 - Incorrect prefix entries for range in compress lvl 1 or 3

Last Modified

Jul 21, 2018

Products (1)

  • Cisco ASR 9000 Series Aggregation Services Routers

Known Affected Releases

5.3.0.BASE

Description (partial)

Symptom:
 
A vulnerability in the port or address range compression feature for access lists (ACL) Cisco IOS XR for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to bypass 
protection offered by a configured ACL on an affected device.
 
The vulnerability is due to incorrect port or address range encoding in the compression module of an ACL applied to an interface of an affected device. An attacker could exploit this vulnerability by sending traffic through 
an affected device that should otherwise be denied by the configured ACL. An exploit could allow the attacker to bypass protection offered by a configured ACL on an affected device.
 
 
Conditions:
 
The following conditions must be met:

 
(1.1) ACL contains IPv4 or IPv6 object-groups that contain ranges -AND-

(1.2) The ACL is applied at compression level 1 or 3   (note we don't support level 2)


-OR-


(2.1) An ACL contains port object-groups that contain port ranges -AND-

(2.2) The ACL is applied at compression level 3


-OR-


(3.1) An ACL contains both IPv4/IPv6 object-group and port object-groups. All types of object-groups contain ranges -AND-

(3.2) The ACL was applied at compression level 1 or level 3


-OR-


(4.1) An ACL does not contain any object-groups, but it contains ACE that have port range specified

(4.2) The ACL was applied at compression level 3
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.