[原文]Vulnerability in Cisco IOS 11.1CC and 11.1CT with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled interface to an interface that does not have DFS enabled, as described by Cisco bug CSCdk35564.
Cisco IOS DFS Interface Switch Access Control Bypass
Remote / Network Access
Loss of Integrity
Cisco IOS contains a flaw that may allow a malicious user to send packets or fragments of packets to an interface even when an access control list prohibits such behaviour. The issue is triggered when distributed fast switching is enabled. It is possible that the flaw may allow traffic which ought to be prohibited by ACL to transit from a DFS-enabled input interface to an output interface that does not have DFS enabled, thereby resulting in a loss of integrity.
Upgrade to the version appropriate for your installation, as outlined in the vulnerable version matrix provided by Cisco. An upgrade is required as there are no known workarounds.