Headline
CVE-2023-20191: Cisco Security Advisory: Cisco IOS XR Software Access Control List Bypass Vulnerability
A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL.
This vulnerability is due to incomplete support for this feature. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an ACL on the affected device.
There are workarounds that address this vulnerability.
This advisory is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication .
At the time of publication, this vulnerability affected the following Cisco products if they were running a vulnerable release of Cisco IOS XR Software and had MPLS packet filtering enabled with the explicit-null or de-aggregation label on the ingress direction:
- IOS XR White box (IOSXRWBD)
- Network Convergence Series (NCS) 540 Series Routers
- NCS 560 Series Routers
- NCS 5500 Series
- NCS 5700 Series
For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
Determine Whether Filtering of MPLS Packets on the Ingress Direction is Enabled
To determine whether filtering of MPLS packets on the ingress direction is enabled, follow this two-step process:
- Identify all MPLS interfaces.
- Check the configuration to see if an IPv4 or IPv6 ACL is configured for the ingress direction.
The following example shows an MPLS interface TenGigE0/0/0/0 that has both an IPv4 and an IPv6 ACL configured on the ingress direction. In the show mpls interfaces, if the Enabled column has a Yes present, then MPLS is enabled on that interlace:
RP/0/RP0/CPU0:NCS5501-1##show mpls interfaces
Thu Mar 16 02:47:56.142 UTC
Interface LDP Tunnel Static Enabled
-------------------------- -------- -------- -------- --------
TenGigE0/0/0/0 No No No Yes
TenGigE0/0/0/1 No No No Yes
RP/0/RP0/CPU0:NCS5501-1#
The device is affected by this vulnerability if any of the interfaces in the preceding example have either an IPv4 or IPv6 ingress ACL applied, as shown in the following example:
RP/0/RP0/CPU0:NCS5501-1#show run interface TenGigE0/0/0/0
!
interface TenGigE0/0/0/0
description ** Example where IPv4 and IPv6 ACL ingress applied **
ipv4 address 192.168.12.1 255.255.255.0
ipv4 access-group CVE-2023-20191 ingress
ipv6 access-group CVE-2023-20191 ingress
!
RP/0/RP0/CPU0:NCS5501-1#
IP ingress ACL filtering on MPLS interfaces is not currently supported on any other Cisco IOS XR Platforms.
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- IOS Software
- IOS XE Software
- NX-OS Software