[Full-Disclosure] Potential denial of service bug in Cisco Pix Firewall IOS resolve d in 6.3.(3)105

• Previous message: EnGarde Secure Linux: "[Full-Disclosure] [ESA-20040105-001] 'kernel' bug and security fixes."
• Next in thread: amilabs: "RE: [Full-Disclosure] Potential denial of service bug in Cisco Pix Firewall IOS resolve d in 6.3.(3)105"
• Reply: amilabs: "RE: [Full-Disclosure] Potential denial of service bug in Cisco Pix Firewall IOS resolve d in 6.3.(3)105"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Mon, 5 Jan 2004 14:55:15 -0000

Brief Description
-----------------

Users of Cisco Pix Firewalls may discover that their pool of NAT'ted IP
addresses is running out, and that a reboot, reload or "clear xlate" on the
firewall clears the problem.

Details
-------

The problem is caused by the Firewall being swamped by incoming ICMP packets
on the global pool IP addresses. If these are not intercepted by a router
beforehand, the incoming echo requests (that are emanating from
Nachi/Welchia worm infected machines) are preventing the release of the
address translation. ie, the Pix is detecting the blocked traffic as
indication that the translation is still in use.

Permanent fix
-------------

I have been informed by Cisco that this is resolved in 6.3(3)105. The
relevant case ID is CSCec 47609 detailed at
www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec47609 and
referenced at
www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00801b
143a.shtml

This is probably also fixed in later IOS versions.

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

Even if you win the rat race, that will still only make you a rat.

-
DISCLAIMER:

NOTICE: The information contained in this email and any attachments is
confidential and may be privileged. If you are not the intended
recipient you should not use, disclose, distribute or copy any of the
content of it or of any attachment; you are requested to notify the
sender immediately of your receipt of the email and then to delete it
and any attachments from your system.

RNIB endeavours to ensure that emails and any attachments generated by
its staff are free from viruses or other contaminants. However, it
cannot accept any responsibility for any such which are transmitted.
We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email and
any attachments are those of the author and do not necessarily represent
those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: EnGarde Secure Linux: "[Full-Disclosure] [ESA-20040105-001] 'kernel' bug and security fixes."
• Next in thread: amilabs: "RE: [Full-Disclosure] Potential denial of service bug in Cisco Pix Firewall IOS resolve d in 6.3.(3)105"
• Reply: amilabs: "RE: [Full-Disclosure] Potential denial of service bug in Cisco Pix Firewall IOS resolve d in 6.3.(3)105"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]