[fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks

From: Dario Calia (dario_calia_at_yahoo.com)
Date: 05/05/04

  • Next message: Ionut Boldizsar: "Re: [fw-wiz] IPtables + PCAnywhere"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 5 May 2004 11:46:25 -0700 (PDT)
    
    

    PIX can and has done this as well.
     
    http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml

    When upgraded the PIX will behave as described in the
    following draft RFC.
      
    http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt

    Ciao, Dario

    >Apparently, Checkpoint can and did:
    >
    >"By upgrading to Check Point VPN-1/FireWall-1 R55
    >HFA-03 or newer, customers
    >are able to protect their entire network from this
    >vulnerability; thus
    >providing additional time and security until other
    >systems and software can
    >be patched."
    >
    >http://www.checkpoint.com/techsupport/alerts/tcp_dos.html
    >
    >Shimon Silberschlag

    >+972-3-9351572
    >+972-51-207130

    >----- Original Message -----
    >From: "Paul D. Robertson" <paul@compuwar.net>
    >To: "Ahmed, Balal" <balal.ahmed@capgemini.com>
    >Cc: <firewall-wizards@honor.icsalabs.com>
    >Sent: Wednesday, May 05, 2004 14:38
    >Subject: Re: [fw-wiz] CIsco PIX vulnerable to TCP RST
    >DOS attacks
    >
    >
    >> On Wed, 5 May 2004, Ahmed, Balal wrote:
    >>
    >> > If a PIX, or any other firewall/device for that
    matter, is performing
    >> > NAPT/Hide NAT/PAT/NAT then as far as the TCP
    conversation is concerned
    is it
    >> > a connection end point or a transit device ?
    >>
    >> If it's a proxy, or a termination point for a
    connection such as a VPN,
    >> then it's an endpoint, if it's a filter or router,
    then it's a transit
    >> device.
    >>
    >> It's possible for stateful filters to "fix"
    endpoint issues for this bug-
    >> but it's not a default, and would have probably had
    to have been added
    >> since the original advisory went out. I'd like to
    see the firewall
    >> vendors who can step up and fix this one- it's a
    perfect "we can fix this
    >> without having folks update every system" thing
    that firewalls SHOULD fix.
    >>
    >> Paul
    >>
    --------------------------------------------------------------------------

    ---
    >> Paul D. Robertson      "My statements in this
    message are personal
    opinions
    >> paul@compuwar.net       which may have no basis
    whatsoever in fact."
    >> probertson@trusecure.com Director of Risk
    Assessment TruSecure Corporation
    >> _______________________________________________
    >> firewall-wizards mailing list
    >> firewall-wizards@honor.icsalabs.com
    >>
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    	
    		
    __________________________________
    Do you Yahoo!?
    Win a $20,000 Career Makeover at Yahoo! HotJobs  
    http://hotjobs.sweepstakes.yahoo.com/careermakeover 
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Ionut Boldizsar: "Re: [fw-wiz] IPtables + PCAnywhere"