[NEWS] Cisco ASA Multiple Failover DoS Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 11/15/05

  • Next message: SecuriTeam: "[NEWS] Cisco IPSec IKE Multiple DoS Vulnerabilities" 
    To: list@securiteam.com
Date: 15 Nov 2005 12:48:28 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Cisco ASA Multiple Failover DoS Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    "The <http://www.cisco.com/en/US/products/ps6120/> Cisco ASA 5500 Series
    Adaptive Security Appliance is a high-performance, multifunction security
    appliance family delivering converged firewall, IPS, network anti-virus
    and VPN services. "

    When attacker makes crafted ARP packet that conflicts with Cisco ASA IP or
    when Cisco ASA is spoofed with ARP packets, it is possible to cause a DoS
    and bypass Cisco ASA firewall.

    DETAILS

    Vulnerable Systems:
     * Cisco Adaptive Security Appliances version 7.0.0
     * Cisco Adaptive Security Appliances version 7.0.2
     * Cisco Adaptive Security Appliances version 7.0.4

    An inherent weakness in the Cisco ASA failover testing algorithm and
    methodology was identified and noted to Cisco TAC and PSIRT. In general,
    the two weaknesses have been identified as a race condition between two
    different failover testing processes and a lack of authentication for
    failover messages between active and standby.

    These conditions are noted in Cisco bug IDs:
     * CSCsc34022 - ASA-PIX requires improved failover testing method
     * CSCsc47618 - Authenticate all messages between Active and Standby

    In an Active/Standby configuration:
    When failover LAN communications goes down {i.e. cable problem, switch/hub
    failure, interface failure, ASA software bug, etc}, the standby firewall
    sends ARP requests on each of the segments for the IP address of the
    Active firewall to see if the Active is still alive. If there is a
    response for AT LEAST ONE of the requests, the standby will NOT become
    active (i.e. there is no failover).

    For this issue to occur, a duplicate IP address matching one of the active
    firewall's IP addresses must be present on the same network subnet as the
    firewalls when the active firewall loses power or crashes.

    When the active firewall loses power or crashes, the standby firewall's
    LAN failover interface will lose connectivity with the active firewall.
    This causes the standby firewall to ARP for the IP address of each active
    firewall interface. Because the active firewall is now unreachable, the
    duplicate IP address matching the active firewall will cause the standby
    firewall to receive a reply to the ARP attempt. Upon receiving the
    erroneous ARP reply, the standby firewall will believe that the active
    firewall is still reachable and prevent the standby firewall from taking
    over.

    Due to the timing of two concurrent failover tests, there are still cases
    where the standby firewall will be able to determine that the active
    firewall is down even when a duplicate IP address is present; however,
    this can not be guaranteed.

    Workaround:
    Connecting the LAN failover interfaces of the firewalls to switch ports
    may minimize but not completely mitigate the chance that an otherwise
    active firewall will lose connectivity to its LAN failover interface.

    Preventing or correcting IP addresses that duplicate the firewall IP
    addresses is a complete workaround for this issue.
    The firewall will detect and log duplicate IP addresses with system log
    message:
    %PIX-4-405001: Received ARP response collision from <firewall IP
    address/mac address of device with duplicate IP address> on interface
    <firewall interface>.

    Additional information about this syslog message is available at:
    <http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/syslog/logmsgs.htm#wp1282234> System Log Messages
    Additional information about configuring failover in PIX and ASA 7.0 is
    available at:
     
    <http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm> http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm
    Additional information about configuring failover in FWSM 2.3 is available
    at:
     
    <http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/failover.htm> Using Failover

    The Release Note Enclosure for CSCsc47618 states:
    An attacker who can spoof the IP address and MAC address of an active
    firewall's interface may prevent failover from occurring.

    When the active firewall loses power or crashes, the standby firewall's
    LAN failover interface will lose connectivity with the active firewall.
    This causes the standby firewall to ARP for the IP address of each active
    firewall interface. The standby firewall will only accept the ARP response
    if the source
    MAC address matches the active firewall's interface MAC address. An
    attacker who can spoof the IP address and MAC address of the active
    firewall's interface can lead the standby firewall to believe that the
    active firewall is still reachable and prevent the standby firewall from
    taking over.

    Workaround:
    Configure port security on all switch ports configured to be in the same
    vlans as the active and standby firewalls enabled interfaces. Port
    security must not be enabled on the switch ports connected to the active
    and standby firewalls interfaces.

    Port security will prevent an attacker from spoofing the active firewall's
    interface MAC address allowing failover to occur normally.
    This configuration should be tested before being enabled in a production
    environment.

    For information on configuring port security refer to:
    Catalyst 6500 Series Cisco IOS Software Configuration Guide Configuring
    Port Security
    <http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a2c.html> Configuring Port Security
    Catalyst 6500 Series Software Configuration Guide Configuring Port
    Security
     
    <http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008022f27b.html> Configuring Port Security
    LAN Security Configuration Guides
     
    <http://www.cisco.com/en/US/tech/tk389/tk814/tech_configuration_guides_list.html> http://www.cisco.com/en/US/tech/tk389/tk814/tech_configuration_guides_list.html

    For information about layer 2 attacks and mitigations refer to:

    SAFE Layer 2 Security In-depth Version 2:
    <http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml> SAFE Layer 2 Security In-depth Version 2

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:atora@eplus.com> Amin Tora
    and <mailto:rivener@cisco.com> Randy Ivener

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Cisco IPSec IKE Multiple DoS Vulnerabilities"

    Relevant Pages