Cisco PIX Spoofed TCP SYN Packets Denial of Service Vulnerability
Via FrSIRT. Technical Description
Advisory ID : FrSIRT/ADV-2005-2546
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Low Risk 
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-11-23
A vulnerability has been identified in Cisco PIX, which may be exploited by remote attackers to cause a denial of service. This issue is due to an error where spoofed TCP SYN packets with incorrect checksums sent to the device are silently discarded without a RST reply from either the destination or the legitimate source, which will cause the firewall to hold a half-opened, embryonic connection open until the embryonic connection timeout
Because the firewall is holding a connection open, any additional packets with the same protocol, IP addresses, and ports will be treated as part of the existing half-open connection. In this case, a legitimate SYN packet following the malformed SYN will be discarded blocking legitimate TCP connections.
http://www.frsirt.com/exploits/20051123.PIXdos.pl.php
Cisco PIX version 6.3
Cisco PIX/ASA version 7.0
- Execute the commands "clear xlate" or "clear local-host
- Modify the default TCP embryonic connection timeout.
- Configure TCP Intercept to allow the PIX to proxy all TCP connection attempts originated from behind any firewall interface after the first connection.
- Configure PIX/ASA 7.0 to verify TCP checksums.
http://www.frsirt.com/english/advisories/2005/2546
http://www.frsirt.com/english/reference/1212
http://www.frsirt.com/english/reference/1164
posted by Fergie @ 11/23/2005 06:39:00 AM
0 Comments:
Post a Comment
<< Home