Cisco Catalyst 1000 and 2960L Switches Access Control List Bypass Vulnerability

A vulnerability exists in the access control list (ACL) management of Cisco IOS Software on Catalyst 1000 and 2960L Switches. This vulnerability allows an unauthenticated, remote attacker to bypass configured ACLs. The issue arises from the unsupported combination of an IPv4 ACL and a dynamic ACL from IP Source Guard on the same interface. Exploitation involves sending traffic through the affected device, potentially allowing the attacker to circumvent ACL protections. Although Cisco has updated its documentation to indicate that this configuration is unsupported, there are no software updates to address the vulnerability. Workarounds are available.

Impact

Exploitation allows bypassing of ACL protections on the affected device, potentially leading to unauthorized access or manipulation of network traffic, depending on the ACL's intended protections.

Remediation

Administrators should choose between using an IPv4 ACL or IP Source Guard on the same interface, as both cannot be active simultaneously. While this workaround has been tested successfully in a controlled environment, its effectiveness should be evaluated in the context of the specific network environment before implementation.