Cisco IOS contains a security issue when handling Generic Routing Encapsulation (GRE) packets that could cause a router to create a new IP packet in a way that the source address appears to originate from the vulnerable router instead of the actual source. This could allow an attacker to bypasses certain ACLs.
The GRE tunneling protocol is designed for encapsulation of arbitrary types of network layer packets inside arbitrary network layer packets and is documented in RFC1701 and RFC2784. The Routing Present and Strict Source Route bits defined in RFC1701 have been removed in RFC2784; however, some Cisco routers still honor these flags. Because of this, it is possible for a remote attacker who can control or spoof the
appearance of a valid GRE endpoint to send crafted GRE packets using these depreciated flags to a router on the other end of a GRE tunnel. This can be done in a manner that will be passed along from the router using the source IP of the router itself when they are reassembled by the router. This can be used to bypass some ACLs that may be in place to block direct traffic from the GRE endpoint, allowing the attacker to deliver packets to internal systems that would otherwise be protected. To stage a successful attack, the attacker must know a valid internal IP address to specify as the destination of the crafted packet.
Cisco confirmed this issue in a security response and released updated software.