Arhont Ltd.- Information Security Arhont Advisory by: Konstantin V. Gavrilenko (http://www.arhont.com) Advisory: Cisco PIX TCP Connection Prevention Class: design bug Version: Tested on PIX515E, PIX OS version 6.3(3) Model Specific: Other versions might have the same bug DETAILS: In a situation when a host is located on the trusted side of the network behind the PIX firewall, there is a possibility to prevent a new legitimate TCP connection to be established to the host located on the other side of the firewall. In order to execute such an attack, an attacker would send a specifically crafted TCP packet with a set incorrect cheksum through the PIX firewall pretending to be originated from a legitimate host. S/he would need to specify the source and destination IP and port, and once such packet is received by the PIX firewall, there is no possibility to establish a new TCP session with the credentials specified in the malicious packet. The downtime of the connection is around 2 minutes 2 seconds, after which the new connection can be established again and the PIX resumes the normal operation mode. Such attack does not affect the connections that are already established through the PIX. Although, it would take a lot of packets to disrupt the communication between the hosts completely, we assume that the attacker's aim is to prevent the communication to a specific service on the remote hosts, e.g. SSH, SMTP, TCP-syslog, and it takes around 15 seconds to generate and spit out 65535 packets with a custom source port on a 100mbit lan. The attack was tested on a PIX firewall 515E with 64Mb of RAM performing a NAT on the external interface, the configuration file is attached. The custom packet can be easily generated by hping2 as following: arhontus / # hping -c 1 -S -s 31337 -k -b -p 22 192.168.xx.xxx Allowing just one packet through the PIX FW will block the forthcoming packet from port 31337 to port 22 for a duration of just over 2 minutes. The sample perl script that is used to automate source port increments and generate malicious packets is attached. RISK FACTOR: Medium WORKAROUNDS: Await Cisco advice on details of the workarounds. COMMUNICATION HISTORY: PSIRT notified on 10/10/2005 P release on 22/11/2005 ADDITIONAL INFORMATION: pixdos.pl tool is attached to this e-mail. *According to the Arhont Ltd. policy, all of the found vulnerabilities and security issues will be reported to the manufacturer at least 7 days before releasing them to the public domains (such as CERT and BUGTRAQ). If you would like to get more information about this issue, please do not hesitate to contact Arhont team on info@arhont.com APPENDIX 1. Show Tech output: pixfw# sh tech Cisco PIX Firewall Version 6.3(3) Cisco PIX Device Manager Version 3.0(1) Compiled on Wed 13-Aug-03 13:55 by morlee pixfw up 44 days 19 hours Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz Flash E28F128J3 @ 0x300, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB 0: ethernet0: address is 0090.2799.118f, irq 10 1: ethernet1: address is 0090.2799.11b6, irq 11 2: ethernet2: address is 00a4.0080.d29c, irq 11 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Disabled Maximum Physical Interfaces: 3 Maximum Interfaces: 5 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited This PIX has a Restricted (R) license. Serial Number: 806330010 (0x300f9e9a) Running Activation Key: 0x50c39a05 0x17a94508 0x39b8204a 0x50691aba Configuration last modified by enable_15 at 19:04:14.354 UTC Sun Feb 14 1993 ------------------ show clock ------------------ 19:05:11.235 UTC Sun Feb 14 1993 ------------------ show memory ------------------ Free memory: 49178768 bytes Used memory: 17930096 bytes ------------- ---------------- Total memory: 67108864 bytes ------------------ show conn count ------------------ 99 in use, 4993 most used ------------------ show xlate count ------------------ 175 in use, 176 most used ------------------ show blocks ------------------ SIZE MAX LOW CNT 4 1600 1588 1599 80 400 397 400 256 1012 912 1011 1550 1189 595 801 ------------------ show interface ------------------ interface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is 0090.2799.118f IP address *********, subnet mask 255.255.255.0 MTU 1500 bytes, BW 100000 Kbit full duplex 393729057 packets input, 3005934690 bytes, 0 no buffer Received 56994 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 368741691 packets output, 3096620746 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/22) output queue (curr/max blocks): hardware (0/100) software (0/1) interface ethernet1 "inside" is up, line protocol is up Hardware is i82559 ethernet, address is 0090.2799.11b6 IP address *********, subnet mask 255.255.255.0 MTU 1500 bytes, BW 100000 Kbit full duplex 368500878 packets input, 3132746326 bytes, 0 no buffer Received 36698 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 393715693 packets output, 2991713049 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/54) output queue (curr/max blocks): hardware (1/48) software (0/1) interface ethernet2 "intf2" is administratively down, line protocol is down Hardware is i82559 ethernet, address is 00a4.0080.d29c MTU 1500 bytes, BW 10000 Kbit half duplex 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) ------------------ show cpu usage ------------------ CPU utilization for 5 seconds = 0%; 1 minute: 3%; 5 minutes: 2% ------------------ show process ------------------ PC SP STATE Runtime SBASE Stack Process Hsi 001eaa09 008ba2dc 00555860 0 008b9354 3628/4096 arp_timer Lsi 001effad 0095d4d4 00555860 0 0095c55c 3816/4096 FragDBGC Lwe 00119abf 009de6c4 00558fc0 0 009dd85c 3688/4096 dbgtrace Lwe 003e3f55 009e0854 0054e188 21240 009de90c 6184/8192 Logger Hsi 003e806d 009e394c 00555860 0 009e19d4 8024/8192 tcp_fast Hsi 003e7f0d 009e59fc 00555860 0 009e3a84 8024/8192 tcp_slow Lsi 003006f9 00b1bfec 00555860 0 00b1b064 3944/4096 xlate clean Lsi 00300607 00b1d08c 00555860 0 00b1c114 3884/4096 uxlate clean Mwe 002f82d3 00cb548c 00555860 0 00cb34f4 7908/8192 tcp_intercept_timer_process Lsi 0043a545 00d5fd44 00555860 0 00d5edbc 3900/4096 route_process Hsi 002e80f4 00d60dd4 00555860 0 00d5fe6c 2748/4096 PIX Garbage Collector Hwe 00217101 00d6af04 00555860 0 00d66f9c 16048/16384 isakmp_time_keeper Lsi 002e5e74 00d8528c 00555860 0 00d84304 3944/4096 perfmon Mwe 0020e719 00daf6bc 00555860 0 00dad744 7860/8192 IPsec timer handler Hwe 0039a4db 00dc416c 00570980 0 00dc2224 7000/8192 qos_metric_daemon Mwe 00261395 00ddeca4 00555860 0 00ddad3c 15592/16384 IP Background Lwe 002f8f4a 00e915f4 0056bc98 0 00e9077c 3704/4096 pix/trace Lwe 002f9182 00e926a4 0056c3c8 0 00e9182c 3704/4096 pix/tconsole Hwe 0011f217 00e9e65c 00502bc0 0 00e9ab94 14732/16384 ci/console Csi 002f0fd3 00e9fb9c 00555860 0 00e9ec44 3540/4096 update_cpu_usage Hwe 002dcba1 00f43b34 00534c00 0 00f3fcac 15884/16384 uauth_in Hwe 003e6b5d 00f45c34 009927a8 0 00f43d5c 7896/8192 uauth_thread Hwe 003fce0a 00f46d84 0054e788 0 00f45e0c 3960/4096 udp_timer Hsi 001e2636 00f48a44 00555860 0 00f47acc 3928/4096 557mcfix Crd 001e25eb 00f49b04 00555cd8 3114406700 00f48b7c 3684/4096 557poll Lsi 001e26a5 00f4aba4 00555860 0 00f49c2c 3848/4096 557timer Cwe 001e4229 00f60c7c 0079b338 3039940 00f5ed84 5208/8192 pix/intf0 Mwe 003fcb7a 00f61d8c 009db3d0 0 00f60e54 3896/4096 riprx/0 Msi 003a3999 00f62e9c 00555860 0 00f61f24 3524/4096 riptx/0 Cwe 001e4229 00f69034 00725dc8 3054440 00f6713c 4876/8192 pix/intf1 Mwe 003fcb7a 00f6a144 009db388 0 00f6920c 3896/4096 riprx/1 Msi 003a3999 00f6b254 00555860 0 00f6a2dc 3888/4096 riptx/1 Cwe 001eccfd 00f7145c 00886978 0 00f6f4f4 8040/8192 pix/intf2 Mwe 003fcb7a 00f724fc 009db340 0 00f715c4 3896/4096 riprx/2 Msi 003a3999 00f7360c 00555860 0 00f72694 3888/4096 riptx/2 Mwe 003fcb7a 00fe66a4 009db268 0 00fe477c 7644/8192 radius_rcvauth Mwe 003fcb7a 00fe7754 009db220 0 00fe682c 3548/4096 radius_rcvacct Mwe 0039bd42 00fe8854 00547f48 0 00fe78dc 3960/4096 radius_snd Hwe 003e6df1 00fe8c64 00968f30 0 00fe89bc 284/1024 listen/http1 Hwe 003fcb7a 00fe9814 009db2b0 0 00fe8e6c 2356/4096 snmp Hwe 003fcb7a 00fea434 009db2f8 0 00fea0ec 840/1024 snmp_ex Hwe 003e6df1 00feac24 00969028 0 00fea9dc 172/1024 listen/pfm Hwe 003e6df1 00feb4fc 00969120 0 00feaeb4 1196/2048 listen/telnet_1 Hwe 003e6df1 00febe04 00969218 0 00feb7bc 1196/2048 listen/ssh_1 Mwe 00370852 00fee65c 00555860 600 00fec6e4 5476/8192 Crypto CA Mwe 003e0b11 00ffab64 00555860 0 00ff8bec 6440/8192 ssh/timer M* 003d9c8c 0009ff2c 00555898 460 010f4ccc 3992/8192 ssh ------------------ show failover ------------------ No license for Failover ------------------ show traffic ------------------ outside: received (in 3870403.800 secs): 393818423 packets 3019023411 bytes 0 pkts/sec 1 bytes/sec transmitted (in 3870403.800 secs): 368984754 packets 3401126889 bytes 1 pkts/sec 0 bytes/sec inside: received (in 3870404.160 secs): 368698713 packets 3380524010 bytes 0 pkts/sec 0 bytes/sec transmitted (in 3870404.160 secs): 393788677 packets 3002331521 bytes 0 pkts/sec 0 bytes/sec intf2: received (in 3870404.160 secs): 0 packets 0 bytes 0 pkts/sec 0 bytes/sec transmitted (in 3870404.160 secs): 0 packets 0 bytes 0 pkts/sec 0 bytes/sec ------------------ show perfmon ------------------ PERFMON STATS: Current Average Xlates 4/s 0/s Connections 4/s 0/s TCP Conns 4/s 0/s UDP Conns 0/s 0/s URL Access 0/s 0/s URL Server Req 0/s 0/s TCP Fixup 1236/s 0/s TCPIntercept 0/s 0/s HTTP Fixup 0/s 0/s FTP Fixup 0/s 0/s AAA Authen 0/s 0/s AAA Author 0/s 0/s AAA Account 0/s 0/s ------------------ show running-config ------------------ : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 enable password ******** encrypted passwd ********* encrypted hostname pixfw domain-name testing.arhont.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list acl_inbound permit icmp any any echo-reply access-list acl_inbound permit icmp any any time-exceeded access-list acl_inbound permit icmp any any unreachable pager lines 24 logging on logging timestamp logging buffered warnings logging trap warnings logging history warnings logging device-id hostname logging host outside ********* mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside ******** ip address inside ******* no ip address intf2 ip audit info action alarm ip audit attack action alarm pdm location ********* 255.255.255.0 inside pdm logging warnings 100 pdm history enable arp timeout 14400 global (outside) 1 global (outside) 2 global (outside) 3 global (outside) 4 global (outside) 5 nat (inside) 1 access-list forcenat-105 0 0 nat (inside) 2 access-list forcenat-9 0 0 nat (inside) 3 access-list forcenat-1-net 0 0 nat (inside) 4 access-list forcenat-10-net 0 0 nat (inside) 5 access-list forcenat-11-net 0 0 nat (inside) 0 ********* 255.255.255.0 0 0 access-group acl_inbound in interface outside rip outside default version 2 authentication md5 ******** 1 route outside 0.0.0.0 0.0.0.0 ********* 1 timeout xlate 3:00:00 timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server radius-acctport 1813 aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server RADIUS (outside) host ******** ******** timeout 20 aaa-server LOCAL protocol local http server enable http ********** 255.255.255.0 inside snmp-server host inside *********** trap snmp-server location Yuggoth snmp-server contact Kthulhu snmp-server community public snmp-server enable traps floodguard enable crypto ipsec transform-set kosts esp-des esp-sha-hmac crypto map kosmap 10 ipsec-isakmp crypto map kosmap 10 match address 110 crypto map kosmap 10 set pfs group2 crypto map kosmap 10 set peer ********** crypto map kosmap 10 set transform-set kosts crypto map kosmap 10 set security-association lifetime seconds 600 kilobytes 4608000 isakmp key ******** address ********* netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 3600 telnet ********* 255.255.255.0 inside telnet timeout 60 ssh ********* 255.255.255.0 inside ssh timeout 30 console timeout 0 terminal width 80 Cryptochecksum:b4a63a116c67521e09fbbbc9fdec895e : end -- Respectfully, Konstantin V. Gavrilenko Arhont Ltd - Information Security web: http://www.arhont.com http://www.wi-foo.com e-mail: k.gavrilenko@arhont.com tel: +44 (0) 870 44 31337 fax: +44 (0) 117 969 0141 PGP: Key ID - 0xE81824F4 PGP: Server - keyserver.pgp.com