Since I hadn't already seen this post come across this group.
Cisco Security Advisory (July 31, 1995)
CIO Topic: SECURITY ADVISORY PLEASE READ for Important Internetwork News
Posted : Aug 3 16:48:28 1995
Cisco Security Advisory
Mon Jul 31 16:24:28 1995
The following describes an error in Cisco's IOS software 10.3 release when
the 'tacacs-ds' or 'tacacs' keyword is used in extended IP access control
lists. This bug can cause an extended IP access control list to be
misparsed, possibly allowing unauthorized packets to circumvent a filtering
router. This vulnerability is present in the following IOS software
10.3(3.4) through 10.3(4.2)
If you are running any of these IOS versions on a product that uses IP
extended access lists, and you are using the 'tacacs-ds' or 'tacacs'
keyword in these lists, then Cisco strongly recommends that you review your
access lists to insure that they have been parsed correctly. You can
determine what version of IOS you are running by issuing the following
If your access list has been parsed incorrectly, the recommended action is
to upgrade to a more recent version of IOS or perform the workaround
described below. The bug is fixed by in the following official software
10.3(4.3) or later
(For reference, the Cisco update identifier for this fix is "CSCdi36962".)
Customers may obtain software upgrades without going through the Cisco's
Technical Assistance Center via Cisco's Customer Information On-Line
service, instructions for downloading are available at the end
of this message.
You may also contact your Cisco distributor or contact Cisco's
Technical Assistance Center (TAC) for more information. TAC can be reached
by phone at 800-553-2447, by E-Mail to tac @
com or via the
World-Wide-Web at http://www.cisco.com. In Europe you can contact TAC by
phone at 32-2-778-42-42 or via E-Mail to euro-tac @
A bug in certain versions of IOS can cause extended IP access lists to
be parsed incorrectly. Under some circumstances, this may allow
packets to bypass IP packet filtering. This may permit unintended IP
traffic to pass through a filtering router.
IP extended access lists between versions 10.3(1) through 10.3(3.3)
used the keyword 'tacacs-ds'. This keyword could be saved as part of
the router configuration either in non-volatile memory on the router or
on an external TFTP server.
Configuration files written by these versions which are read by
versions 10.3(3.4) through 10.3(4.2) will not have the 'tacacs-ds'
keyword parsed correctly. The result will be that the entire line in
the access list will be ignored. An error message will be generated
when this occurs. Loss of such a line from the access list may create
a vulnerability if the access list is used as part of a packet filter.
To determine if you are vulnerable, examine your current configuration
and compare it to your intended configuration.
If the access lists in your current configuration and your intended
configuration do not use the keyword 'tacacs-ds', you are not
vulnerable. You do not need to do anything.
If your current configuration contains the keyword 'tacacs-ds', you
should NOT upgrade that router to any version of IOS between 10.3(3.4)
and 10.3(4.2). You are not currently vulnerable.
If your intended configuration contains the keywords 'tacacs-ds',
'tacacs', or filters on TCP or UDP port 49, and your current
configuration does NOT contain this line of the access list, you are
currently vulnerable. You should perform the workaround described
The following actions will remove the vulnerability:
- Delete the access list and re-enter it based upon your intended
configuration. Do not enter the 'tacacs-ds' keyword. Use the keyword
Obtain and install the appropriate release of IOS software as
described above. For assistance contact Cisco's TAC.
Software upgrades may be obtained via any of the following mechanisms:
A) World Wide Web (WWW):
For registered CIO users please open a URL to:
and select the the version of software to download.
For non-registered users open a URL to:
When prompted for a code, please enter:
for a list of available files to download.
ftp cio.cisco.com and at the initial (username) prompt, enter:
At the password prompt, enter your e-mail address.
This file contains a list of files available that close this
vulnerability. Please examine this list to determine which
files you need and then download them.
C) Character-based "CIO Classic":
For access, the following connection options are offered:
o Dial-up modem
+ In Europe +33 1 64 46 40 82
+ In the US (408) 526 8070
+ vt100, N81, up to 14.4Kbps
Enter either as a guest or registered user and navigate to the topic:
At the prompt for a code, please enter:
A list of files will be displayed for you to select and download.
US Sprint tel: 703.689.6828
Managed Network Engineering internet: paul @
Reston, Virginia USA http://www.sprintmrn.com