[fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks
From: Ahmed, Balal (balal.ahmed_at_capgemini.com)
Date: 05/05/04
- Previous message: Victor B. Williams: "Re: 802.1x was: [fw-wiz] IPv6 comes in the game"
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Reply: Paul D. Robertson: "Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Maybe reply: Melson, Paul: "RE: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Reply: Mikael Olsson: "Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Maybe reply: Ahmed, Balal: "RE: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com> Date: Wed, 5 May 2004 13:13:32 +0100
Dear wizards,
Cisco have released an advisory [1] hot on the heels of the NISCC TCP RST
advisory [2]. Cisco's advice is to upgrade images where a network device is
a connection endpoint. Question :-
If a PIX, or any other firewall/device for that matter, is performing
NAPT/Hide NAT/PAT/NAT then as far as the TCP conversation is concerned is it
a connection end point or a transit device ?
If it is a connection end point then it is susceptible to a TCP RST DOS
attack. According to RFC 3022 [3] and RFC 1631 [4] only ports and IP
addresses are changed along with updating the TCP checksum. The RFC's and
the PIX manual would point to the fact that the PIX only forwards on and is
not the actual host performing the three way handshake, it only records the
state of the connection, alters the headers, performs fixup and then
forwards the packet on. Having said this, I have seen PIX's teardown
connections on seeing a RESET-O arrive from the outside. Does this mean that
the PIX IS susceptible to the TCP RST vulnerability due to the way Cisco
have implemented NAT?
References
[1]
http://www.cisco.com/en/US/products/products_security_advisory09186a008021ba
2f.shtml
[2]
http://www.uniras.gov.uk/vuls/2004/236929/index.htm
[3]
http://www.faqs.org/rfcs/rfc3022.html
[4]
http://www.faqs.org/rfcs/rfc1631.html
Balal Ahmed
Security Analyst
Capgemini UK plc
mailto:balal.ahmed@cgey.com
=======================================================
This message contains information that may be privileged or
confidential and is the property of Capgemini UK plc.
It is intended only for the person to whom it is addressed. If you
are not the intended recipient, you are not authorised to read, print,
retain, copy, disseminate, distribute, or use this message or any part
thereof. If you receive this message in error, please notify the sender
immediately and delete all copies of this message.
=======================================================
Our name has changed, please update your address book to the following format for the latest identities received "recipient@capgemini.com".
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Victor B. Williams: "Re: 802.1x was: [fw-wiz] IPv6 comes in the game"
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Reply: Paul D. Robertson: "Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Maybe reply: Melson, Paul: "RE: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Reply: Mikael Olsson: "Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Maybe reply: Ahmed, Balal: "RE: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
