Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Cisco PIX SSH/telnet dDOS vulnerability CSCdy51810

Cisco PIX SSH/telnet dDOS vulnerability CSCdy51810

by Nikola Strahija on November 9th, 2002 Affected software : PIX OS 6.2.2 (and probably old version)


URL: Full description should be posted in few days on
http://www.giac.org/GCIA.php

[1] Summary

A vulnerability in the TCP/IP stack allow a remote
attacker run a
denial of service attack against the PIX firewall.

This vulnerability is due to a wrong handling of the
subnet address
by the PIX OS stack. If the SSH or telnet daemon is
used, the PIX
will answer to connection request sent to the subnet
address.
The use of the subnet address as destination bypass the
allowed
other filter.

DDOS attack exploiting this vulnerability may produce
memory fragmentation.


[2] Affected software

Version 6.2.2 has been confirmed as vulnerable.
Older versions have not been confirmed, but due to the
stack level of this vulnerability, they could be
supposed vulnerable.


[3] Patch

Interim build 6.2.2.111 is available for Cisco
customer/partner
through the Cisco Technical Assistance Center
http://www.cisco.com/tac


[4] Testing environments

PIX 515
OS version 6.2.2
Only few inside hosts allowed to access the PIX using
SSH / telnet
Naptha tool v1.1 from BindView's RAZOR Security Team


[5] Required Knowledge

TCP
PIX firewall


[6] Technical Details

The PIX firewall respond to TCP SYN packet sent to the
subnet address (first IP of the subnet) for SSH and
telnet service. This behavior is seen if at least one
inside host is allowed to access the PIX using SSH
and/or telnet. In this case,
the TCP three-way handshaking will be completed for any
external host targeting
the subnet address.

Test conduced with the Naptha tool v1.1 (from
BindView's RAZOR team) show the free memory counter
displayed with the "show memory" decreasing. This test
was performed by opening
TCP connections using subnet address as destination and
never close it.
The "show memory" command shows the largest contiguous
free memory.

During the test using one attacker host, the free
memory shown decreased at 8kbytes/sec.

A DDOS attack may lead to fragment all the free memory.

TCPdump trace:
07:32:38.409393 151.100.89.67.4268 > MY.NET.97.128.22:
S 1381191936:1381191936(0) win 32120 1460,sackOK,timestamp 542804848[|tcp]> (DF) (ttl 48, id
33829, len 60)
07:32:38.409556 MY.NET.97.128.22 > 151.100.89.67.4268:
S [tcp sum ok] 872965664:872965664(0) ack 1381191937
win 4096 (ttl 255, id 6173, len 44)
07:32:38.452593 151.100.89.67.4268 > MY.NET.97.128.22:
. [tcp sum ok] 1:1(0) ack 1 win 32120 (DF) (ttl 48, id
33831, len 40)
07:32:38.453312 MY.NET.97.254.22 > 151.100.89.67.4268:
P 872965665:872965684(19) ack 1381191937 win 4096 (ttl
255, id 6174, len 59)
07:32:38.497426 151.100.89.67.4268 > MY.NET.97.254.22:
R [tcp sum ok] 1381191937:1381191937(0) win 0 (ttl 239,
id 33833, len 40)
07:32:48.482733 151.100.89.67.4268 > MY.NET.97.128.22:
F [tcp sum ok] 1:1(0) ack 1 win 32120 (DF) (ttl 48, id
34171, len 40)



[7] Exploit Code

Not included in this advisory on purpose


[8] Workaround

Filter inbound SSH and telnet traffic targeted to the
PIX external subnet address
and interface address on the upstream router.


[9] Timeline

Aug 28, 2002 Issue discovered
Aug 30, 2002 Vendor notified, Cisco Systems PSIRT team
notified by the TAC
Sep 03, 2002 Vendor confirmed the issue, bug referenced:
CSCdy51810
Sep 04, 2002 IDS Europe mailing list notified
Sep 13, 2002 New build with fix available
Nov 05, 2002 Public disclosure on Bugtraq mailing list


[10] Correlation / Vendor status
No Common Vulnerabilities and Exposures (CVE)
identification assigned now

Vendor referenced ID for this issue: CSCdy51810
New OS build with patch released: 6.2.2.111

Vendor don't have plans to issue security advisory,
vendor PSIRT
(Product Security Incident Response Team) is
considering the problem as "unexpected behavior".


[11] Credit

Discovery and exploitation Research:
Nils Reichen GCIA CCIE#6763
[email protected]


[12] Disclaimer

The information within this paper may change without
notice.
Use of this information constitutes acceptance for use
in an AS IS
condition. There are NO warranties with regard to this
information.
In no event shall the author or an entity where he
belongs be liable
for any damages whatsoever arising out of or
in connection with the use or spread of this information.
Any use of this information is at the user's own risk.


[13] Feedback

Please send suggestions, updates, and comments to:
Nils Reichen LANexpert SA
http://www.lanexpert.ch/
Official : [email protected]


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »