[NEWS] Cisco PIX DoS TTL(n-1)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

Cisco PIX DoS TTL(n-1)


"The <http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/> Cisco PIX
Firewall delivers strong security and, with market-leading performance,
creates little to no network performance impact."

It is possible to perform a DoS attack on PIX or an IP address behind a
PIX from the outside interface, utilizing a flaw in the embryonic
connection mechanism. The flaw utilized in this attack is the same was
used in Cisco PIX TCP Connection Prevention vulnerability.


It is possible to prevent new communication establishment to a specific
port on a server located behind the PIX firewall, when a permanent static
mapping is applied between a local and a global IP address, similar to the
Network setup diagram below.

Network Setup:
Attacker ------ Internet ------ PIX ------ Router ------ Server

By sending a legitimate packet and specifying TTL equal to n-1 of the
destination value, it is possible to disable communication between the
source and destination port pair for the duration of approximately 120
seconds on PIXOS version 6 and 30 seconds on PIXOS version 7.

In order for the attack to succeed, an additional hop (router) should be
present between the PIX and the server, that would timeout the packet
returning the ICMP time exceeded in-transit.

Such setups can be easily identified using the TCPTraceroute to the open
port and returning repeating destination IP in the last two hops. e.g.

5 xxx.xxx.xxx.32 18.952 ms 19.396 ms 20.438 ms
6 xxx.xxx.xxx.7 19.667 ms 22.174 ms 20.629 ms
7 xxx.xxx.xxx.68 29.286 ms 21.401 ms 19.935 ms
8 xxx.xxx.xxx.100 108.143 ms 42.783 ms *
9 xxx.xxx.xxx.100 [open] 32.268 ms 26.037 ms 23.569 ms

Although, it would take a lot of packets to disrupt the communication
between the hosts completely, we assume that the attacker's aim is to
prevent the communication to a specific service located on the machine
behind the PIX firewall (e.g. HTTP/S, SMTP) and some other host on the
Internet, whose source address can be spoofed. Depending on the bandwidth,
it might take as little as 15 seconds to generate and send out 65535
packets with a custom source port.

The attack can be performed using the interactive packet constructors such
as hping, e.g.

if you want to prevent new communication establishment between SOURCE_IP
source port 31337 and TARGET_IP destination port 80, execute:
arhontus / # hping2 -a $SOURCE_IP -S -c 1 -s 31337 -p 80 -t 8 $TARGET_IP

if you want to prevent new communication establishment between SOURCE_IP
port ranges 0-63535 and TARGET_IP destination port 80, execute:
arhontus / # hping2 -a $SOURCE_IP -S -s 0 -p 80 --faster -t 8 $TARGET_IP

The attack was tested on two PIX 535 firewalls with 1Gb of RAM each
performing static permanent mapping and running in failover mode with
PIXOS ver 6.3(4), and on a single PIX 515E with 64Mb of RAM running PIXOS
ver 7.0(4)

PSIRT response with workarounds to follow this disclosure

Disclosure Timeline:
04/11/2005 - Issue discovered
24/01/2006 - PSIRT notified
07/03/2006 - Public disclosure


The information has been provided by <mailto:mlists@xxxxxxxxxx>
Konstantin V. Gavrilenko.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.