CISCO IOS 12.1.4 Security Hole

[Mike Bressem <mb () IMSC NET>]

Hi there,

today I upgraded my cisco 1003 to IOS 12.1(4). The funny thing is that my
accesslist on the BRI is no longer working. Take a look at the config and
see for yourself :

interface BRI0
 ip unnumbered Ethernet0
 ip access-group 101 in
 no ip redirects
 no ip proxy-arp
 encapsulation ppp
 no logging event link-status
 no keepalive
 dialer idle-timeout 240
 dialer wait-for-carrier-time 300
 dialer map ip XXX name XXX XXX
 dialer hold-queue 100 timeout 120
 dialer-group 1
 no snmp trap link-status
 isdn switch-type basic-net3
 isdn caller XXX
 isdn incoming-voice data
 compress stac
 ppp authentication chap
 ppp chap hostname XXX
 hold-queue 100 in
 hold-queue 100 out
!

access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain 213.178.0.0 0.0.0.31
access-list 101 permit tcp any eq ftp-data 213.178.0.0 0.0.0.31
access-list 101 permit tcp host 213.178.0.34 host 213.178.0.1 eq 22
access-list 101 permit tcp host 213.178.0.34 host 213.178.0.30 eq telnet
access-list 101 permit gre host 213.178.0.34 213.178.0.0 0.0.0.31
access-list 101 permit gre host 193.242.95.5 213.178.0.0 0.0.0.31
access-list 101 permit udp any 213.178.0.0 0.0.0.31 gt 1023
access-list 101 deny   ip any any log



I can ping my laptop behind the router from the outside. Acl 101 is no
longer working after the upgrade.


regards,
mike


Mike Bressem                            Internet Management GmbH
============                            Hauptstr. 40
                                        35745 Herborn - Germany
"Fate, it seems, is not                 Telefon +49 2772 4723 - 0
without a sense of irony"               Telefax +49 2772 4723 - 29

PGP Fingerprint : 6F 24 75 C4 AE 55 CB E0  F2 E8 D6 DB 35 37 9F EC