Security Advisory 05.11.02: Title : Cisco PIX SSH/telnet DOS vulnerability CSCdy51810 Reporter : Nils Reichen LANexpert SA Affected software : PIX OS 6.2.2 (and probably old version) Risk : High Date : November 5, 2002 URL: Full description should be posted in few days on http://www.giac.org/GCIA.php [1] Summary A vulnerability in the TCP/IP stack allow a remote attacker run a denial of service attack against the PIX firewall. This vulnerability is due to a wrong handling of the subnet address by the PIX OS stack. If the SSH or telnet daemon is used, the PIX will answer to connection request sent to the subnet address. The use of the subnet address as destination bypass the allowed other filter. DDOS attack exploiting this vulnerability may produce memory fragmentation. [2] Affected software Version 6.2.2 has been confirmed as vulnerable. Older versions have not been confirmed, but due to the stack level of this vulnerability, they could be supposed vulnerable. [3] Patch Interim build 6.2.2.111 is available for Cisco customer/partner through the Cisco Technical Assistance Center http://www.cisco.com/tac [4] Testing environments PIX 515 OS version 6.2.2 Only few inside hosts allowed to access the PIX using SSH / telnet Naptha tool v1.1 from BindView's RAZOR Security Team [5] Required Knowledge TCP PIX firewall [6] Technical Details The PIX firewall respond to TCP SYN packet sent to the subnet address (first IP of the subnet) for SSH and telnet service. This behavior is seen if at least one inside host is allowed to access the PIX using SSH and/or telnet. In this case, the TCP three-way handshaking will be completed for any external host targeting the subnet address. Test conduced with the Naptha tool v1.1 (from BindView's RAZOR team) show the free memory counter displayed with the "show memory" decreasing. This test was performed by opening TCP connections using subnet address as destination and never close it. The "show memory" command shows the largest contiguous free memory. During the test using one attacker host, the free memory shown decreased at 8kbytes/sec. A DDOS attack may lead to fragment all the free memory. TCPdump trace: 07:32:38.409393 151.100.89.67.4268 > MY.NET.97.128.22: S 1381191936:1381191936(0) win 32120 <mss 1460,sackOK,timestamp 542804848[|tcp]> (DF) (ttl 48, id 33829, len 60) 07:32:38.409556 MY.NET.97.128.22 > 151.100.89.67.4268: S [tcp sum ok] 872965664:872965664(0) ack 1381191937 win 4096 <mss 1460> (ttl 255, id 6173, len 44) 07:32:38.452593 151.100.89.67.4268 > MY.NET.97.128.22: . [tcp sum ok] 1:1(0) ack 1 win 32120 (DF) (ttl 48, id 33831, len 40) 07:32:38.453312 MY.NET.97.254.22 > 151.100.89.67.4268: P 872965665:872965684(19) ack 1381191937 win 4096 (ttl 255, id 6174, len 59) 07:32:38.497426 151.100.89.67.4268 > MY.NET.97.254.22: R [tcp sum ok] 1381191937:1381191937(0) win 0 (ttl 239, id 33833, len 40) 07:32:48.482733 151.100.89.67.4268 > MY.NET.97.128.22: F [tcp sum ok] 1:1(0) ack 1 win 32120 (DF) (ttl 48, id 34171, len 40) [7] Exploit Code Not included in this advisory on purpose [8] Workaround Filter inbound SSH and telnet traffic targeted to the PIX external subnet address and interface address on the upstream router. [9] Timeline Aug 28, 2002 Issue discovered Aug 30, 2002 Vendor notified, Cisco Systems PSIRT team notified by the TAC Sep 03, 2002 Vendor confirmed the issue, bug referenced: CSCdy51810 Sep 04, 2002 IDS Europe mailing list notified Sep 13, 2002 New build with fix available Nov 05, 2002 Public disclosure on Bugtraq mailing list [10] Correlation / Vendor status No Common Vulnerabilities and Exposures (CVE) identification assigned now Vendor referenced ID for this issue: CSCdy51810 New OS build with patch released: 6.2.2.111 Vendor don't have plans to issue security advisory, vendor PSIRT (Product Security Incident Response Team) is considering the problem as "unexpected behavior". [11] Credit Discovery and exploitation Research: Nils Reichen GCIA CCIE#6763 nreichen@lanexpert.ch [12] Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author or an entity where he belongs be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. [13] Feedback Please send suggestions, updates, and comments to: Nils Reichen LANexpert SA http://www.lanexpert.ch/ Official : nreichen@lanexpert.ch
