[NEWS] Cisco VPN3000 Gateway MTU Overflow

From: support@securiteam.com
Date: 07/11/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 11 Jul 2002 12:07:21 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cisco VPN3000 Gateway MTU Overflow
------------------------------------------------------------------------

SUMMARY

The Cisco <http://www.cisco.com/univercd/cc/td/doc/pcat/3000.htm> VPN3000
gateway lets remote client dictate which maximum MTU to use when sending
back ESP frames, regardless of the transmitting capabilities of the
physical medium (thus going over the frame buffer's size).

DETAILS

Vulnerable systems:
 * Cisco/VPN 3000 Concentrator with software vpn3000-3.5.Rel-k9.bin

Impact:
 * Oversized frames get silently discarded by equipments linked to the
gateway's public
 interface and retransmissions occur.
 * Other disturbances or DoS against neighboring equipments may occur,
especially as many IP stacks on routers, sniffers, etc are poorly
implemented.

Technical details:
When a target sends back Ethernet frames with size close to the max
Ethernet MTU (1500), the gateway encrypts the frames adding ESP headers
and then tries to send a 1580-bytes (which is well over the 1500+- frame
size limit) frame back to the client.

Workaround:
For Windows-based OS (likely UNIX and Linux-based OS too), Cisco released
a tool called
<http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/3_1/admin/vcach5.htm> setMTU.exe that can prevent ill MTU negotiation from happening.

ADDITIONAL INFORMATION

The information has been provided by <mailto:porte10@free.fr> porte10.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: PATCH: VLAN support for 3c59x/3c90x
    ... the MTU change information is given to the driver after it is already ... of layer-2 driver modules. ... The way that VLAN is implemented in Linux does allow ... watchdog, that is guaranteed to pass 2048 byte frames, and timeout at ...
    (Linux-Kernel)
  • Re: Jumbo Ethernet Frames
    ... >> having to worry about the 1500-byte MTU of regular ethernet frames. ... The internet shouldn't be a factor, as it'd designed to work with a variety ... IP will either fragment the packets or use MTU discovery to limit packet ...
    (comp.dcom.lans.ethernet)
  • Re: 6.2 mtu now limits size of incomming packet
    ... Let's flip the question around a bit: why would you _want_ the TCP stack ... to accept frames larger than the stated MTU? ... the standard BSD interface description does not include an MRU. ...
    (freebsd-net)
  • Re: Cisco VPN3000 gateway MTU overflow
    ... Correct me if I am wrong about this, but I believe the MTU changes the size ... So if you increase the size of a packet by ... Cisco VPN3000 gateway MTU overflow ... > frames, ...
    (Bugtraq)
  • Cisco VPN3000 gateway MTU overflow
    ... The Cisco VPN3000 gateway lets remote client dictate ... which maximum MTU to use when sending back ESP ... Oversized frames get silently discarded by ...
    (Bugtraq)