This vulnerability affects Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that have a Supervisor Engine 720 Module or Supervisor Engine 32 Module running a vulnerable release of Cisco IOS Software, if all the following conditions exist for the device:
- The mls acl tcam share-acl command is configured.
- A PACL includes an ACE that contains a greater than operator, a less than operator, a tcp flag, the established keyword, or the range keyword.
- The PACL is applied to more than eight interfaces.
If all these conditions are met, an affected device will not apply filters that are in the same PACL and also contain a greater than operator, a less than operator, a tcp
flag, the established
keyword, or the range
For example, if the mls acl tcam share-acl
command is configured for a device, a PACL is applied to nine of the device's interfaces, and the PACL contains the following ACE, the device will allow all TCP traffic without honoring the established
permit tcp any any established
Note that other ACEs in the PACL will work if they do not include an affected operator or keyword. The PACL will not be bypassed completely. Only additional use of the affected operators or keywords will not be applied.
No other Cisco products are currently known to be affected by this vulnerability.