COMMAND

    CISCO PIX

SYSTEMS AFFECTED

    CISCO (PIX firewall software up to and v4.2(1), CBAC v11.2P, 11.3T,
    and will be present in initial 12.0 revisions of CBAC software.

PROBLEM

    Robert  Ståhlbrand  found  following  during  security-testing  of
    firewalls in his lab.  He  found a serious bug in Cisco  PIX which
    makes it possible to do DOS-attacks to static IP-addresses on  the
    inside.  Most of Cisco PIX is using NAT, but if you need DNS, mail
    etc. You have to  have a static address  for this server and  many
    installations of Cisco PIX are configured like this.

    Send a fragmented  packet, split it  into 2 with  the FIN-flag set
    and you'll  notice that  the packet  with the  TCP-header will  be
    correctly dropped, but the second part will let through the PIX to
    the host on the inside!   Another strange thing is the data  being
    deformed so that all data is  7E!  This was tested with  only ICMP
    allowed, mail etc.  and with nothing  allowed and the  same result
    appeared every  time.   The part  not included  the TCP-header was
    let through!

    So how can you do a DOS-attack  with this? Easy!  Just send a  lot
    those packets  (really mean  a lot!!!)  to this  host and see what
    happends.   An  NT-server   tested  against  completely   stopped!
    Couldn't even move  the mouse.   Same thing with  a Linux-box, but
    NT-servers with more then one  CPU managed a little better.   Only
    one CPU got up to 100%.  This was tried against a SUN Ultra 2 with
    a  lot  of  memory  but  this  attack  did not seem to affect this
    machine very much.  The reason why the smaller machine hangs could
    (must?!) be that  it collects a  lot of fragmented  packets but it
    never recieves  the first  part of  it which  will end  the memory
    after a while. It will also have a great job collecting all  these
    packets.  The server will hang  fast (1 second or so) if  you have
    plenty of bandwith, slower if  you don't but it will  always work.
    The funny thing  is that it  is the PIX  who makes it  possible to
    perform this DOS-attack.

    Any company,  organisation etc.  who are  using static  addressing
    along  with  Cisco  PIX  with  any  version  of  PIX  software  is
    vulnerable to this.  Even tried the last beta.

SOLUTION

    This  vulnerability  has  been  assigned  Cisco bug ID CSCdk36273.
    CISCO made  changes to  the PIX  firewall software  to improve its
    behavior in the face of fragmented packets. Specifically:

        o Interfragment  state will  be kept.  A non-initial  fragment
          will be discarded unless the corresponding initial  fragment
          was  permitted  to  pass  through  the firewall. Non-initial
          fragments   received   before   the   corresponding  initial
          fragments will be discarded.

        o The  amount of  memory dedicated  to fragment  state will be
          limited  in  order  to  avoid  the obvious denial of service
          attacks against the PIX firewall itself.

        o Fragments received  for statically configured  NAT addresses
          without  conduits  will  be  dropped  as  other  unsolicited
          packets are.

        o Fragments will be checked for certain overwrite attacks.

    These changes are undergoing  quality assurance testing, and  will
    be released  in Cisco  PIX firewall  software release  4.2.2.  The
    vulnerability  is  scheduled  to  be  fixed  for CBAC in Cisco IOS
    software  release  12.0(2)  and  12.0(3)T,  which  are tentatively
    scheduled for release in late November, 1998, and in late January,
    1999, respectively. All schedules are subject to change.