Cisco - Recomendação de Segurança FWSM

Categoria: Alertas

sexta, 21 dezembro 2007 11:34

Sistemas Operativos Implicados:	Cisco IOS
Aplicações Implicadas:	Indefinido

A Cisco lançou o Security Advisory cisco-sa-20071219-fwsm para uma vulnerabilidade no Cisco Firewall Services Module (FWSM). Esta recomendação diz respeito somente ao FWSM System Software Version 3.2(3) ( versão afectada). Esta vulnerabilidade pode levar a uma condição de negação de serviço.

Informações mais detalhadas sobre esta vulnerabilidade e medidas de prevenção podem ser consultadas em Cisco Security Advisory cisco-sa-20071219-fwsm.

Cisco Security Advisory: Application Inspection Vulnerability in Cisco Firewall Services Module
Document ID: 100389
Advisory ID: cisco-sa-20071219-fwsm

Summary

A vulnerability exists in the Cisco Firewall Services Module (FWSM) - a high-speed, integrated firewall module for Cisco Catalyst 6500 switches and Cisco 7600 Series routers, that may result in a reload of the FWSM. The only affected FWSM System Software Version is 3.2(3).

There are no known instances of intentional exploitation of this issue. However, Cisco has observed data streams that appear to be unintentionally triggering this vulnerability.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2007-5584 has been assigned to this vulnerability.

Cisco will release free software updates that address this vulnerability.

A workaround that mitigates this vulnerability is available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml.



Workarounds

Disable the TCP Normalizing Function

Disabling the TCP normalizing function in the FWSM will mitigate this vulnerability.

The TCP normalizer performs the following action:

For traffic that passes through the control-plane path, such as packets that require Layer 7 inspection or management traffic, the FWSM sets the maximum number of out-of-order packets that can be queued for a TCP connection to two packets. The TCP normalizer is enabled by default and is not configurable except to enable or disable.

To disable the TCP normalizing function, use the no control-point tcp-normalizer command in global configuration mode, as shown in the following example.

FWSM# config terminal
FWSM(config)# no control-point tcp-normalizer
FWSM(config)#
FWSM#

Disabling the "control-point tcp-normalizer" will prevent strict TCP checks, such as detecting out-of-sequence segments and monitoring TCP options, on the TCP packets received on the Control Plane for Layer 7 inspection in the FWSM, will not be performed. The feature should be re-enabled after upgrading to a fixed version of software.


References

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml