Vulnerabilidade Cisco PIX Firewall

Categoria: Alertas

sexta, 25 novembro 2005 12:03

Fonte: http://securitytracker.com/alerts/2005/Nov/1015256.html

A remote user can send a TCP SYN packet with an invalid checksum through
the target firewall to cause the firewall to block new TCP connections
using the same source and destination TCP ports and IP addresses. The
remote user"s packets are silently discarded because of the invalid
checksum.

Connections will be blocked until the embryonic connection timeout
occurs (the default setting is 30 seconds).

PIX software version 6.3 does not verify the TCP checksum of the packet
and will let the packet pass through the firewall. As a result, the
half-open TCP connection will be held open until the embryonic timeout
occurs (two minutes is the default setting).

Cisco has assigned Cisco Bug IDs CSCsc14915 (for PIX 6.3) and CSCsc16014
(for IPX 7.0) to this vulnerability.

The vendor was notified on October 10, 2005.

Konstantin V. Gavrilenko of Arhont Ltd. reported this vulnerability.

The original report is available at:

http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038971.html

*Impact:* A remote user can silently block TCP connections from being
permitted through the firewall.
*Solution:* Cisco has provided the following workarounds [quoted]:

1. Issuing the commands "clear xlate" or "clear local-host address on the higher security level interface>" will allow the
firewall to pass connections again.


2. The default TCP embryonic connection timeout is 30 seconds. This
default can also be modified which further mitigates the issue. This
workaround should be effective regardless of the cause of the issue.

This configuration example sets the TCP embryonic connection timeout
to 10 seconds for the default "global_policy" policy-map:

access-list tcp_inspection extended permit tcp any any
access-list tcp_inspection extended deny ip any any

class-map my_inspection_tcp
match access-list tcp_inspection

policy-map global_policy
class my_inspection_tcp
set connection timeout embryonic 0:00:10

service-policy global_policy global


3. TCP Intercept can be configured to allow the PIX to proxy all TCP
connection attempts originated from behind any firewall interface
after the first connection. PIX will create and send the TCP SYN,ACK
from the destination to the original source. Since the original TCP
SYN packet was spoofed, the source IP address will not be tracking
the TCP connection and it will send a TCP RST to the PIX. The PIX
will then close the connection originating from the TCP SYN packet
with the invalid checksum. This workaround should be effective
regardless of the cause of the issue.

This example proxies all TCP connection attempts originated from any
firewall interface
after the first connection for the default "global_policy"
policy-map:

access-list tcp_inspection extended permit tcp any any
access-list tcp_inspection extended deny ip any any

class-map my_inspection_tcp
match access-list tcp_inspection

policy-map global_policy
class my_inspection_tcp
set connection embryonic-conn-max 1

service-policy global_policy global


4. When invalid checksums are the cause of this issue, PIX/ASA
software version 7.0 can be configured to verify TCP checksums which
will eliminate the impact. Verifying TCP checksums may impact
firewall performance and should be tested before being enabled in a
production environment.

This example verifies TCP packet checksums for the default
"global_policy" policy-map:

tcp-map verify-chksum
checksum-verification

access-list tcp_inspection extended permit tcp any any
access-list tcp_inspection extended deny ip any any

class-map my_inspection_tcp
match access-list tcp_inspection

policy-map global_policy
class my_inspection_tcp
set connection advanced-options verify-chksum

service-policy global_policy global