Cisco IOS XR Software Hybrid Access Control List Bypass Vulnerability

A vulnerability exists in the hybrid access control list (ACL) processing of IPv4 packets in Cisco IOS XR Software. It could allow an unauthenticated, remote attacker to bypass a configured ACL. This issue arises from improper handling of packets when a specific hybrid ACL configuration is applied. An attacker could exploit this vulnerability by sending traffic through an affected device, potentially bypassing ACL protections.

Impact

Exploitation could allow an attacker to bypass ACL protections on an affected device, leading to unauthorized access or manipulation of network traffic. The specific impact would depend on the role of the bypassed ACL in the network security posture.

Reproduction

The vulnerability can be reproduced by configuring a hybrid IPv4 ACL with compression level 3 that includes 32 or more different source or destination network object groups. Once the ACL is applied to a network interface, traffic can be sent through the device to test if the ACL is being enforced as intended.

Remediation

Cisco has released software updates to address this vulnerability. Customers can upgrade to Cisco IOS XR 7.11.2 or later versions starting from 24.1. For platforms or releases not covered by these versions, contact Cisco support for available maintenance updates.