[fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks

From: Ahmed, Balal (balal.ahmed_at_capgemini.com)
Date: 05/05/04

  • Next message: Victor Williams: "RE: 802.1x was: [fw-wiz] IPv6 comes in the game"
    To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 5 May 2004 13:13:32 +0100
    
    

    Dear wizards,

    Cisco have released an advisory [1] hot on the heels of the NISCC TCP RST
    advisory [2]. Cisco's advice is to upgrade images where a network device is
    a connection endpoint. Question :-

    If a PIX, or any other firewall/device for that matter, is performing
    NAPT/Hide NAT/PAT/NAT then as far as the TCP conversation is concerned is it
    a connection end point or a transit device ?

    If it is a connection end point then it is susceptible to a TCP RST DOS
    attack. According to RFC 3022 [3] and RFC 1631 [4] only ports and IP
    addresses are changed along with updating the TCP checksum. The RFC's and
    the PIX manual would point to the fact that the PIX only forwards on and is
    not the actual host performing the three way handshake, it only records the
    state of the connection, alters the headers, performs fixup and then
    forwards the packet on. Having said this, I have seen PIX's teardown
    connections on seeing a RESET-O arrive from the outside. Does this mean that
    the PIX IS susceptible to the TCP RST vulnerability due to the way Cisco
    have implemented NAT?

    References

    [1]

    http://www.cisco.com/en/US/products/products_security_advisory09186a008021ba
    2f.shtml

    [2]

    http://www.uniras.gov.uk/vuls/2004/236929/index.htm

    [3]

    http://www.faqs.org/rfcs/rfc3022.html

    [4]

    http://www.faqs.org/rfcs/rfc1631.html

    Balal Ahmed
    Security Analyst 
    Capgemini UK plc

    mailto:balal.ahmed@cgey.com

    =======================================================

    This message contains information that may be privileged or
    confidential and is the property of Capgemini UK plc.
    It is intended only for the person to whom it is addressed. If you
     are not the intended recipient, you are not authorised to read, print,
    retain, copy, disseminate, distribute, or use this message or any part
    thereof. If you receive this message in error, please notify the sender
    immediately and delete all copies of this message.

    =======================================================

    Our name has changed, please update your address book to the following format for the latest identities received "recipient@capgemini.com".

    This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Victor Williams: "RE: 802.1x was: [fw-wiz] IPv6 comes in the game"

    Relevant Pages

    • RE: Active response... some thoughts.
      ... active response against UDP attacks works this way. ... TCP RST is more than just a marketing ... It causes immediate connection ... the protocol stack is not ...
      (Focus-IDS)
    • Re: about 113 port
      ... > PPAA> back TCP RST (connection refused) packets. ... IRC servers, some FTP servers.. ...
      (FreeBSD-Security)
    • Re: ICMP unreachables
      ... Returning FILTER means that some machine is allowed access, ... standard no port response, they don't know that a service is running at ... > connection attempts instead of sending a TCP RST. ...
      (comp.security.firewalls)
    • Re: ICMP unreachables
      ... Returning FILTER means that some machine is allowed access, ... standard no port response, they don't know that a service is running at ... > connection attempts instead of sending a TCP RST. ...
      (comp.security.firewalls)