COMMAND

    Cisco

SYSTEMS AFFECTED

    PIX Firewall 5.1

PROBLEM

    Claudiu Calomfirescu found following.  An attacker from inside  or
    outside interfaces  of a  PIX Firewall  515 or  520, 5.1.4 version
    running aaa  authentication against  a TACACS+  Server could cause
    the PIX to crash and reload by overwhelming it with authentication
    requests.

    Tested:

        Vulnerable Product: PIX Firewall 515, 520
        Vulnerable OS:      5.1.4 - General Deployment Release
        Non Vulnerable OS:  5.3.1 - General Deployment Release

    1. A user  from inside without  aaa permission to  go out, play  a
       game (Jewels)  from zapspot.com.  - he  does not  know a  thing
       about what is happening in the background.
    2. At  a certain  time, the  game try  to connects  to the address
       api.zapspot.com on port 80 from port 2000.
    3. The pix start an authentication process, but the game is not  a
       browser and the user dont see a thing, after that, the game try
       to connects to the address api.zapspot.com on port 80 from port
       2001, 2002,  2003 and  so on  very very  quickly (hundreds  per
       seconds)
    4. The pix has too many authentication in progress and crash.

    To reproduce the problem do the following:
    1. Configure the PIX Firewall version 5.1.4 for aaa authentication
       against a TACACS+ server:

        aaa-server TACACS+ protocol tacacs+
        aaa-server RADIUS protocol radius
        aaa-server grup protocol tacacs+
        aaa-server grup (inside) host 10.10.10.20 cheia
        timeout 5
        aaa authentication include http outbound 0.0.0.0
        0.0.0.0 0.0.0.0 0.0.0.0 grup
        aaa authorization include http outbound 0.0.0.0
        0.0.0.0 0.0.0.0 0.0.0.0 grup
        aaa accounting include http outbound 0.0.0.0
        0.0.0.0 0.0.0.0 0.0.0.0 grup

    2. From  an inside  host generate  http request  with sweep source
       port directed to a global address on port 80.

       In case above, authors generated a http request from port 2000,
       the pix start an authentication process:

        109001: Auth start for user '???' from
        10.10.10.1/2000 to 216.46.233.11/80

       after that they generated a http request from port 2001,

        109001: Auth start for user '???' from
        10.10.10.1/2001 to 216.46.233.11/80

       and so on.  After 426  requests (this number is not always  the
       same) generated in 3 seconds the PIX give the message:

        Panic: uauth1 - open: no more channels
        (tcp/UNPROXY/1/0)!

       and crashed in:

        Thread Name: uauth1 (Old pc 0x80070b4f ebp 0x810c56dc)

       and reloads.

    Very simple and nice.

SOLUTION

    The  vendor  (Cisco  Systems)  was  noticed  on 14 March (TAC case
    number B215177).  The Cisco Technical Assistance Center is working
    on this case currently.  The engineers working this case have been
    working to reproduce the  problem, engineering is also  working on
    the problem  in conjunction  with the  customer support  engineer.
    The  crash  info  you  have  provided  has not been helpful due to
    another defect, CSCdp66094,  which causes the  5.1 series of  code
    to continuously  reload once  the defect  has been  triggered with
    non-informative crash info.

    The crash does not  occur in the later  versions of code, and  the
    5.1 series  of code  is not  recommended for  customers due to the
    following announcement:

        http://www.cisco.com/warp/customer/cc/pd/fw/sqfw500/prodlit/1303_pp.htm

    At this point  Cisco is still  investigating the possible  options
    for a fix.