Date: Thu, 5 Nov 1998 17:33:44 -0000
From: [email protected]
To: [email protected]Subject: Cisco security notice: Cisco IOS DFS Access List Leakage
-----BEGIN PGP SIGNED MESSAGE-----
Field Notice:
Cisco IOS DFS Access List Leakage
Revision 1.2
For release 08:00 AM US/Pacific, Thursday, November 5, 1998
Cisco internal use only until release date.
Summary
=======
Errors in certain Cisco IOS software versions for certain routers can cause
IP datagrams to be output to network interfaces even though access lists
have been applied to filter those datagrams. This applies to routers from
the Cisco 7xxx family only, and only when those routers have been configured
for distributed fast switching (DFS).
There are two independent vulnerabilities, which have been given Cisco bug
IDs CSCdk35564 and CSCdk43862. Each vulnerability affects only a specialized
subset of DFS configurations. Affected configurations are not believed to be
extremely common, but neither are they extremely rare. More details of
affected configurations are in the "Who is Affected" section of this
document.
These vulnerabilities may permit users to send packets to parts of the
customer's network for which they are not authorized. This may permit
unauthorized access or other attacks on customer computer systems or data.
Cisco does not know of any incidents in which these vulnerabilities have
actually been exploited by attackers.
Neither vulnerability affects any Cisco product other than routers in the
70xx, 72xx or 75xx series. Of 70xx routers, only routers with the optional
route-switch processor (RSP) card are affected. Additional configuration
conditions apply.
Who is Affected
===============
These vulnerabilities apply only to the Cisco 7xxx router family. The Cisco
7xxx family are large, rack-mounted backbone routers used primarily by
Internet service providers and in large enterprise networks.
Cisco 75xx routers are affected by both vulnerabilities. Cisco 72xx routers
are affected only by CSCdk35564, and not by CSCdk43862. Cisco 70xx routers
are affected only if they have RSP cards installed.
Although each of the vulnerabilities is different and manifests itself under
different conditions, both involve DFS. DFS is not enabled by default in any
Cisco product, and must be manually configured. If the command ip
route-cache distributed does not appear in your router configuration file,
then you are not affected by either vulnerability.
Specifically, process switching (no ip route-cache), ordinary fast switching
(ip route-cache), optimum switching (ip route-cache optimum), and CEF or
dCEF switching (ip route-cache cef, ip cef distributed switch) are not
affected. Flow switching is considered a form of fast switching, and is
affected only in distributed mode. Interactions between flow switching and
access lists reduce, but do not eliminate, the impact of both
vulnerabilities when flow switching is enabled along with DFS.
CSCdk35564 affected configurations
- --------------------------------
CSCdk35564 is a defect in the 11.1CC and 11.1CT releases. Routers running
Cisco IOS software versions other than 11.1CC and 11.1CT are not affected by
CSCdk35564. Cisco 72xx and 75xx routers are affected; Cisco 70xx routers are
not supported with the affected hardware/software combinations.
To be affected by CSCdk35564, your router must be configured to switch
traffic from an interface with DFS enabled to an interface without
DFS enabled. This most commonly happens when routers contain both versatile
interface processor (VIP) interface cards and non-VIP interface cards. Since
DFS is supported only on VIP interfaces, traffic from a VIP to a non-VIP
interface may be going from DFS to non-DFS.
If DFS is enabled on all of the interfaces in your router, then you are not
affected by CSCdk35564. If DFS is not enabled on any interface in your
router, then you are not affected. If you do not use the ip access-group
command to filter outgoing traffic on any non-DFS interfaces, then you are
not affected.
CSCdk43862 affected configurations
- --------------------------------
CSCdk43862 affects 11.1, 11.2, and 11.3 versions of Cisco IOS software on
the Cisco 70xx and 75xx series; see the table later in this document for
details. The Cisco 72xx series is not affected by CSCdk43862, regardless of
the software version in use.
To be vulnerable, your router must be configured to switch traffic from an
input interface with DFS enabled to a logical subinterface of a physical
output interface. The output interface may or may not have DFS enabled; the
important question for the output interface is whether or not subinterfaces
are in use, and whether or not output traffic to subinterfaces is being
filtered.
Subinterfaces are pseudo-interfaces associated with subsets of the traffic
on physical interfaces. For instance, a physical Frame Relay interface might
have a subinterface associated with each Frame Relay PVC. Subinterfaces do
not exist by default; they are created as part of user configuration.
Subinterface numbers always contain periods, as in "Serial 0/1.1". If your
configuration file does not contain any such "dotted" interface numbers,
then you are not vulnerable.
If you do not use the ip access-group command to apply output access-list
filtering to subinterfaces, then you are not vulnerable.
CSCdk43862 causes the access list applied to one subinterface on a physical
interface to be incorrectly used for traffic destined for a different
subinterface. If you use the same access list to filter outbound traffic on
all subinterfaces of any given physical interface, then you are not
vulnerable.
Impact
======
Incorrect access-list filtering may be applied to output packets. Output
access lists are frequently used to implement security filtering, and the
failure of such access lists may permit users to send packets to parts of
the network for which they are not authorized. This, in turn, may permit
them to bypass security restrictions, and to gain access to data or
resources from which they should be excluded.
Neither of the defects described in this notice "fails reliably". The same
access lists, on the same interfaces, may work correctly at some times, and
fail at other times. Because of this, administrators who test their access
lists may be misled into believing that the access lists are providing
effective protection, when in fact they are not.
CSCdk43862 may result in legitimate traffic being filtered out, as well as
in undesired traffic being permitted to pass through the router. CSCdk35564
never filters legitimate traffic; it only permits undesired traffic.
An attacker who had detailed knowledge of these vulnerabilities might be
able to create conditions favorable to unauthorized access being permitted.
However, such activity would probably be unnecessary; even without
deliberate intervention by an attacker, such conditions would be expected to
occur frequently during the operation of most affected networks.
Workarounds
===========
These vulnerabilities can be worked around by disabling DFS on network
interfaces (with no ip route-cache distributed). Be aware that the purpose
of DFS is to transfer computational load from the router's primary CPU to
the CPUs on the VIP cards, and that disabling DFS may therefore cause
overload of the primary CPU. Evaluate your traffic load and CPU usage before
using this workaround.
If all interfaces in the router are DFS-capable, but DFS has for some reason
been enabled only on some of the interfaces, it may be possible to work
around CSCdk35564 by enabling DFS on all interfaces. This will not affect
CSCdk43862.
CSCdk43862 can sometimes be worked around by reconfiguring to use the same
output access list on all the subinterfaces of a physical interface.
Another possible workaround is to redesign the access lists structure on the
router to avoid the need for output access lists on affected interfaces.
Software Versions and Fixes
CSCdk43862 has a duplicate report, CSCdk43696. The bug ID CSCdk43862 should
be used to refer to this defect.
The following table summarizes the affected Cisco IOS software versions for
both CSCdk35564 and CSCdk43862, and indicates which versions have been
fixed. To use the table, look up the software release you're currently
running (available from the show version command on your router) in the
first column of the table. The other columns of the table tell you which
Cisco IOS software versions from your major release have been fixed, and
which versions Cisco recommends you install.
The table lists both interim versions and regular released versions. Interim
versions receive far less testing, and are generally of less certain
quality, than regular released versions. Cisco recommends installing regular
released software whenever possible. Interim versions are listed for
reference, and for the convenience of customers who must upgrade before
appropriate regular released versions are available.
As always, a fix applied to one regular released version in a major release
means that all later versions of that major release are also fixed. For
instance, 11.2(17) is fixed, so 11.2(18) and later are also fixed.
The table is designed to cover all supported software on all affected Cisco
routers. If you are running distributed fast switching on a 72xx router, a
75xx router, or a 70xx router with an RSP processor, and you are using an
11.1, 11.2, or 11.3 release not listed in the table, please contact the
Cisco TAC for assistance.
+----------+-------------+-----------+-------------+------------+-------------+
|Cisco IOS |Initial CSCdk35564 Fixes |Initial CSCdk43862 Fixes |Upgrade Path |
|Major | | |for 7xxx DFS |
|Release |Interim |Regular |Interim |Regular |Users |
|(only |(minimal |(dates are |(minimal |(dates are | |
|7xxx |testing; |subject to |testing; |subject to | |
|releases |urgent |change) |urgent |change) | |
|are |upgrades | |updates | | |
|listed) |only) | |only) | | |
+==========+=============+===========+=============+============+=============+
|11.0 and |Unaffected |Unaffected |Unaffected |Unaffected |Unaffected |
|earlier, | | | | | |
|all | | | | | |
|variants | | | | | |
+----------+-------------+-----------+-------------+------------+-------------+
|11.1 |Unaffected |Unaffected | - | - |Go to 11.1CA |
+----------+-------------+-----------+-------------+------------+-------------+
|11.1CA |Unaffected |Unaffected |11.1(22)CA |11.1(22)CA |11.1(22)CA or|
|(core ED) | | | | |later |
+----------+-------------+-----------+-------------+------------+-------------+
|11.1CC |11.1(21.2)CC |11.1(21)CC1|11.1(21.2)CC |11.1(21)CC1 |11.1(21)CC1, |
|(CEF ED) | |11.1(22)CC | |11.1(22)CC |11.1(22)CC or|
| | | | | |later |
+----------+-------------+-----------+-------------+------------+-------------+
|11.1CT |11.1(21.2)CT |11.1(22)CT |11.1(21.2)CT |11.1(22)CT |11.1(22)CT or|
|(tag | | | | |later |
|switch | | | | | |
|ED) | | | | | |
+----------+-------------+-----------+-------------+------------+-------------+
|11.2 |Unaffected |Unaffected |11.2(16.1) |11.2(17), |11.2(17) or |
| | | | |planned |later; |
| | | | |Jan-1999 |11.2(16.1) or|
| | | | | |11.3 if |
| | | | | |11.2(17) |
| | | | | |schedule |
| | | | | |unacceptable |
+----------+-------------+-----------+-------------+------------+-------------+
|11.2F |Unaffected |Unaffected | - | - |Go to 11.3 |
+----------+-------------+-----------+-------------+------------+-------------+
|11.2P |Unaffected |Unaffected |11.2(16.1)P |11.2(17)P, |11.2(17)P or |
|(platform | | | |planned |later; |
|ED) | | | |Jan-1999 |11.2(16.1)P or
| | | | | |11.3 if |
| | | | | |11.2(17)P |
| | | | | |schedule |
| | | | | |unacceptable.|
+----------+-------------+-----------+-------------+------------+-------------+
|11.2BC |Unaffected |Unaffected |11.2(16.1)BC |11.2(17)BC, |11.2(17)BC or|
|(CIP ED) | | | |planned |later; |
| | | | |Jan-1999 |11.2(16.1)BC |
| | | | | |if 11.2(17)BC|
| | | | | |schedule |
| | | | | |unacceptable.|
+----------+-------------+-----------+-------------+------------+-------------+
|11.3 |Unaffected |Unaffected |11.3(6.2) |11.3(7), |11.3(7) or |
| | | | |planned |later |
| | | | |Nov-1998 | |
+----------+-------------+-----------+-------------+------------+-------------+
|11.3T |Unaffected |Unaffected |11.3(6.2)T |11.3(7)T, |11.3(7)T or |
| | | | |planned |later |
| | | | |Nov-1998 | |
+----------+-------------+-----------+-------------+------------+-------------+
|11.3NA |Unaffected |Unaffected |11.3(6.2)NA |11.3(7)NA, |11.3(7)NA or |
|(voice | | | |Planned |later; |
|ED) | | | |Dec-1998 |11.3(6.2)NA if
| | | | | |11.3(7)NA |
| | | | | |schedule |
| | | | | |unacceptable.|
+----------+-------------+-----------+-------------+------------+-------------+
|11.3(2)XA |Unaffected |Unaffected | - | - |11.3(7) or |
| | | | | |later |
+----------+-------------+-----------+-------------+------------+-------------+
|12.0(1) |Unaffected |Unaffected |Unaffected |Unaffected |Unaffected |
|and | | | | | |
|later, | | | | | |
|all | | | | | |
|variants | | | | | |
+----------+-------------+-----------+-------------+------------+-------------+
Because of restricted port adapter support, Cisco does not believe that
many, if any, customers are using DFS with 11.1 mainline software. 11.1CA is
recommended for both functionality and stability reasons.
The 11.1(21)CC1 release is a special release of 11.1CC; the 11.1CC release
sequence runs from 11.1(21)CC through 11.1(21)CC1, then to 11.1(22)CC.
11.3(2)XA was a special one-time release based on 11.3(2). The functionality
of 11.3(2)XA was carried into the 11.3(3) release.
Getting Fixed Software
- --------------------
Cisco is offering free software updates to correct these defects for all
vulnerable customers, regardless of contract status.
As with any software change, you should check to make sure that your
hardware can support the new software before installing it. The most common
problem is inadequate RAM. While this is seldom a problem when upgrading
within a major release (say, from 11.2(11)P to 11.2(17)P), it is often an
issue when upgrading between major releases (say, from 11.2(11)P to
11.3(7)T). Further assistance is available on Cisco's Worldwide Web site at
http://www.cisco.com.
Customers with service contracts should obtain new software through their
regular update channels (generally via Cisco's Worldwide Web site).
Customers with service contracts may upgrade to any software release, but
must, as always, remain within the boundaries of the feature sets they have
purchased. Cisco does not recommend upgrading to a new major release without
careful planning.
Customers without service contracts may upgrade only to obtain the bug
fixes; they are not offered upgrades to versions newer than required to
resolve the defects. In general, customers without service contracts will be
restricted to upgrading within a single row of the table above. Customers
without service contracts should get their updates by contacting the Cisco
TAC. TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* [email protected]
Give the URL of this notice as evidence of your entitlement to a free
update. Free updates for non-contract customers must be requested through
the TAC. Please do not contact either "[email protected]" or
"[email protected]" for software updates.
Exploitation and Public Announcements
Cisco knows of no public announcements or discussion of these
vulnerabilities prior to the date of this notice.
CSCdk35564 was found by a Cisco customer during installed-system testing.
CSCdk43862 was found by Cisco during internal testing.
Because of the nature of these vulnerabilities, attackers would rarely be
expected to exploit them directly. In most cases, attackers would simply
find themselves with access to network resources to which administrators
thought they had denied access. Cisco has had no actual reports of malicious
attacks succeeding because of this vulnerability, nor of anyone deliberately
trying to create "vulnerable" conditions.
Status of This Notice
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice.
Distribution
- ----------
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/770/iosdfsacl-pub.shtml . In addition to
Worldwide Web posting, the initial version of this notice is being sent to
the following e-mail and Usenet news recipients:
* [email protected]
* [email protected]
* [email protected] (includes CERT/CC)
* [email protected]
* [email protected]
* comp.dcom.sys.cisco
* [email protected]
* Various internal Cisco mailing list
Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.
Revision History
- --------------
Revision 1.0, 00:12 US/Pacific, First public release candidate version.
2-NOV-1998
Revision 1.1, 20:08 US/Pacific, Cosmetic edits.
2-NOV-1998
Revision 1.2, 08:55 US/Pacific, More cosmetic edits.
3-NOV-1998
Cisco Security Procedures
Please report security issues with Cisco products, and/or sensitive security
intrusion emergencies involving Cisco products, to [email protected]
. Reports may be encrypted using PGP; public RSA and DSS keys for
"[email protected]" are on the public PGP keyservers.
The alias "[email protected]" is used only for reports incoming to
Cisco. Mail sent to the list goes only to a very small group of users within
Cisco. Neither outside users nor unauthorized Cisco employees may subscribe
to "[email protected]".
Please do not use "[email protected]" for configuration questions,
for security intrusions that you do not consider to be sensitive
emergencies, or for general, non-security-related support requests. We do
not have the capacity to handle such requests through this channel, and will
refer them to the TAC, delaying response to your questions. We advise
contacting the TAC directly with these requests. TAC contact numbers are as
follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* [email protected]
All formal public security notices generated by Cisco are sent to the public
mailing list "[email protected]". For information on
subscribing to this mailing list, send a message containing the single line
"info cust-security-announce" to "[email protected]". An analogous list,
"[email protected]" is available for public discussion of the
notices and of other Cisco security issues.
Press contacts
- ------------
Press inquiries regarding Cisco security notices should be directed to Doug
Wills, [email protected], +1 408 527 9475.
This notice is copyright 1998 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
this copyright notice and all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBNkHFQ3LSeEveylnrAQHzdQgAsEDgjf6wOFohQVg7aXGrSWc8oPFY8HM5
nqRMY7q2YkRYn7B8Pt1PqqsigxanQm3lN2Ke8fMvZQUpwnHjm1ajR9AGlvvViGgq
fPnzdGQNtZkq5aAvoBxZ7ZMhDTu++AJLBnxHtfG4Kl34bTWHZiHdoxY43Zanq4nL
fsxft+RSR54ja2mSo23DwGkMYjxcXV2RyuZtKEe5dqpeGbeNe0pv+d5SgpGuL+PB
+GZavuSdyafelQa7FGLIcJwxzE0ANRkBY+UHksyJme5uBRsP9gQFahE/rR6d1p/V
kBClFpvmPKBQOPjiYD9iaUUb6tAkcLvctyHwPKo/H7E605LazBruFQ==
=og6M
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0
mQENAzXPH5oC2wEIAMeLeBbPlxIznjaMMKWFlhVgQ85n4wm6A1ZeVCm0D8zRzATl
IKC365xXRKx8bwTn5XjKxZ5/XVuZjhsMS/CCa7B4FfxqjYBpEvfWEYDmPfzipTC3
nPAEc3T4yNWfaDKPxqv85WK+3yn0rpygWEgqw8+/n8QvoSbBEA9DU+5RTHIDEfOF
vmqtDYB/2luIubN4X2jazwLeGhocarrbZmEW4fKsOpQ1xS1IuWbn9AWXjchMfL8z
i+ow9p6BA2I0eqmP/c1Ld+cL/befk3/l8rPA7UUFOn1je7Fng0WAAUvjoHU56fO2
oF6rO5jfHFu6yBt2ouRem/KMzx6WctJ4S97KWesABRG0R0Npc2NvIFN5c3RlbXMg
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
aXNjby5jb20+iQEVAwUQNc8fmnLSeEveylnrAQE/OAf8DGH1DxPga+LKFyqf6lKT
5SDnmeTOu9D4hnHe/14Vu+AFfmrXqlGJ+GeK6mlNTOSSW84p5DQ7Pswbp6QNJBw/
08AAkvwqKTnowHUdtBM3GSvepMEkQuZcFFPtrobgXYrOgRumG1Lbuni/UysnYxZx
zkcetSkPyYSzjH1aHFd89BJNGYn1dy8hu/znbLVtUxfAhK3tPOlC7EfygEsOF2VC
7nUA13uGUBrs34zwJi/GalgKDGU+HxeEC5lmYxJVu1ftMy+g+0VGTBpXSSK3G99y
HfokysYr/RsB50ZEUZKprz5tmYIEUAGyf6nOIfC5ctmGwnXh7xX7OppzFl7Zqk5D
iYkAPwMFEDXPIpCWgad8PVLgfxECuK8AoNBJNor02wuTI9mVACgaknKdSqn9AJ9v
Zg3u0d5lx3l+QmkupOtBU40us4kBFQMFEDXPJBwMj7Lhmx7xKQEBhscIAJEkpzdv
pzjHfETEZymleUvq9IO1mVDQDQiyG02akI2PUe39Tl57jKjQ8Lyus0cfvHs7qVc8
jj2e1+mUyXA1AwWOZaJsgVdkZIFKJnU9MfN3XIxwwkg7g3dB99oPrAbTgWkKdodJ
mTnKsXntAYcmg7/4a5UYujJ2+J/7z1ZmiMtqHu4hU7B36DoxZadmaOPe1cIzsy+5
vBgg5vesDLb4O+3dae6BgsCay0eSLdfLkxI9hTGGiFTHrkgBaxOvQn6oUxVxnJC3
EWfasJzFjjxSrXxNuUqL9fRXDNOYH2P9tcQtjOypZPOGgtLvwCf0rQl/6jNxIWTJ
Hk/WXKbunvRKDISJARUDBRA2QcdGRmLnWCARuHkBAeMJB/47XZPoqSmpWWeKfmNq
ND8e9pidbnMDJsPrejR76xX41QtGjc9t9VjkDJ0Y+k5RNc0JO7raZEuCKP/Pxfdu
aBPNLrAcPdz4dT0dKuS3xA0vpxtZ5M8ySU65sOmlg5qDTztEwmiRLstOSrgk5Dem
njq40ACb2DEDLsL9ODse04dr3/efPJ/aC6bYPgyH1VIKIt1bl3buZ25dLOtnsP28
czqtNRuYiawuyz9oChUpcB336qI87PU8X1FVRFbVIaSbQrJKh1TWU5PtFYXRFksc
2qOwQbD/T6WGJLFpUZB7XHCDxP6PFLZPGTKtzWRShianHVlTjNtsqDGbhbNkFkQQ
dSq2tFEgQ2lzY28gU3lzdGVtcyBwcm9kdWN0IHNlY3VyaXR5IGluY2lkZW50L2J1
ZyByZXBvcnRpbmcgPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT6JARUDBRA1zyEv
ctJ4S97KWesBARhxB/9gmERHrgw8dZa5ainE7kp9d3srlWrAAuJyEZLmOU/oqQB6
tKdn8ENEMsRrzA/J2qBIk8LTuLR1hH6mqhv7cbdHa2mvv/5l/6q/OuSv+KrQ3tp+
nQ897gcv8FJ+Yu+t9NnbYaFJ2x6cboNTZCqqKfxR2JPRs7QTBZRfuQjpQZOX2LWM
w9ja4XOaAPJTwZiTQHDPYn1SBM2BxJySHHaKq8Bigs/dccQI1vl58lrYifNJkQyc
fPPKheZZpppKKYK8a0cIpB6axTLEs0/Vard0bbOz7TzzmkgZRHBoCjoTeT3Fp6SG
qzHsrazpHLbE466jGjhCrnYGhoA6yILAXOomB8GmiQA/AwUQNc8i5ZaBp3w9UuB/
EQIv3ACg6jhcSbTcyyfKms2HDzkAtF7DSBkAoPp5ceXULXLCs1OJYMfRJ9HSP2p2
iQEVAwUQNc8kbwyPsuGbHvEpAQFwRAf/aYTlFsOyJn74QC1aV56M1PvbSoARRAK0
92PIVEWI2FtzTJSGahD11kp26PEpBalkm3/mHtrHhW0+bcm1tDPyOCu6Alg9h4RF
BICrKKa+NfBrgAUOwbALVyG034ecnCyLGkuIerHyTgLEq0+IoJWMuZkjef6Nlhe2
Wpvvekxc4TM4y4o2Qzx615Q7b1v+H76s3pY8aVLhRr23j+zHLvLPqboUsfPC525v
rCVl8OsFkm6Gw6rzWPs/5AnSkCL1+OzKfQqHgt+MV59yn70CZGBgVbg39FNwouVq
SSquPqIIZQybXvjMDi9gSiGLWi204R8DEO0X64tUzn441Rzqz7WSe4kBFQMFEDZB
x3tGYudYIBG4eQEBAW0H/0kYBtFbR1bTkSBG2dXQB3TOpFQyvAutrDMZd8ydt93K
UPDyXUqWcZTEfAJ/6W37RhcusII5q+ZnDxqW/Ajzcpgn7xiP+ANaWsTc9w6uDpSz
Z74u0JfzFHLjWWbaUgNtGU8rHryUP01wI6FOE0cME2JykPEFcWKH+0kwSRpaUqKw
d8F2NDs2dHWxvSWmv0jzZznqD+8w9EvvwkZaDqgQldZlmqWtzrFXv2DSP5kgECNg
CZmt4NDlZfm9ziYTcyNbMJwAqFWcPbFO4yz7D6FvYFeFjO0eQzi/mFqrh+hjeLSl
CwOLxvYctK1Q/3+POl0Y7NnHTkubcfgDrjo6Ze/xQ8A=
=SKD8
-----END PGP PUBLIC KEY BLOCK-----