ID

VAR-200305-0083

TITLE

Cisco IOS Crypto Engine Accelerator Access Control List Bypass Vulnerability

DESCRIPTION

The Internet Operating System (IOS) is an operating system used on CISCO routers. The use of an access control list when the CISCO router enables the crypto engine accelerator allows unauthorized types of communication access, which can be exploited by remote attackers to bypass the access control list to access the protected network. If the CISCO router has the following configuration: crypto engine accelerator PPPoE dialer Ip route-cache Set the access control list on the external interface to allow only incoming ISAKMP and IPSEC communication, such as: ip access-list extended Block-Inbound-unwanted-Trafic permit udp 100.100. 100.0 0.0.0.255 host 102.168.1.2 eq isakmp permit esp 100.100. 100.0 0.0.0.255 host 102.168.1.2 deny ip any any log The IPSec communication will be parsed twice due to the incoming access control list, which will result in unauthorized communication access being protected. The internet. For example, ACLs allow internal networks to be exploited by attackers to inject fake packets into the network. However, if static encryption (crypto) mapping is used, this problem does not exist, so non-encrypted communication will be discarded when it is parsed by the ACL. In the case of dynamic encryption mapping, if an attacker wants to note that a forged packet bypasses the access list to access the network, it must control the neighbor router connected to the ACK interface to complete the attack

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

THREAT TYPE

network

TYPE

Input Validation Error

EXTERNAL IDS

REFERENCES

CREDITS

Discovery credited to Olivier <itsce.networkservices@pmintl.ch>.

SOURCES

LAST UPDATE DATE

2022-05-17T02:00:52.008000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE