Preview Tool

Cisco Bug: CSCur28806 - ACL slow-path matching failed for host member in IPv4 obj-group

Last Modified

Sep 17, 2019

Products (8)

  • Cisco ASR 9000 Series Aggregation Services Routers
  • Cisco IOS XR Software
  • Cisco ASR 9922 Router
  • Cisco ASR 9010 Router
  • Cisco ASR 9904 Router
  • Cisco ASR 9006 Router
  • Cisco ASR 9001 Router
  • Cisco ASR 9912 Router

Known Affected Releases

5.1.3.LC 5.3.0.BASE

Description (partial)

An issue in the Object-ACL matching process Cisco Aggregation Services Router 9000 (ASR9K) could allow an unauthenticated, remote attacker to
bypass protection offerred by a configured ACL on an affected device.

The issue is due to ASR9K incorrectly handling host access control entries by incorrectly matching ''any'' address instead of the specified
''host'' address. An attacker could exploit this vulnerability to bypass the access control list leading to traffic loss or unwanted permits.

ASR9K running affected software.

Related Community Discussions

IOS-XR: Object-group を使用した ACE がマッチしない
2015年1月19日(初版)   TAC SR Collection 主な問題 IOS-XR が動作するルータで、Object-group を使用した ACE (Access Control Entries) において、 host 指定の項が正しくマッチしません。 Object-group を使用した記法については、以下をご参照下さい。 Configuring ACL with Object-Groups   例:下記の設定は からの接続のみを許可するものですが、本不具合のため、全ての接続が許可されます。 ------------------ | object-group network ipv4 obj1   host ! ipv4 access-list obj_Acl  10 permit ipv4 net-group obj1 any ! interface GigabitEthernet0/0/0/0  ipv4 address  ipv4 access-group obj_Acl ...
Latest activity: Jan 21, 2015
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.