CVE-2016-9201

Name of the Vulnerable Software and Affected Versions Cisco IOS and Cisco IOS XE Software versions prior to 15.6(2)T0.1 Cisco IOS and Cisco IOS XE Software versions prior to 15.6(2.0.1a)T0 Cisco IOS and Cisco IOS XE Software versions prior to 15.6(2.19)T Cisco IOS and Cisco IOS XE Software versions prior to 15.6(3)M

Description A logic flaw in the Zone-Based Firewall feature could allow an unauthenticated, remote attacker to pass traffic that should otherwise have been dropped based on the configuration. The vulnerability occurs in a corner case scenario where only one zone pair is defined in the egress direction but there is no reverse zone pair defined in the opposite direction, causing return traffic to be allowed instead of dropped for traffic subject to the egress action of pass.

Recommendations For versions prior to 15.6(2)T0.1, update to 15.6(2)T0.1 or later. For versions prior to 15.6(2.0.1a)T0, update to 15.6(2.0.1a)T0 or later. For versions prior to 15.6(2.19)T, update to 15.6(2.19)T or later. For versions prior to 15.6(3)M, update to 15.6(3)M or later. As a temporary workaround, consider configuring reverse zone pairs in the opposite direction to ensure return traffic is dropped as expected.