Cisco PIX fails to verify TCP checksum

2005-11-23T00:00:00
ID VU:853540
Type cert
Reporter CERT
Modified 2005-12-01T00:58:00

Description

Overview

Versions of Cisco PIX firewalls do not validate the checksum of transiting TCP packets. Attackers may be able to use this problem to create a sustained denial-of-service under certain conditions.

Description

Cisco PIX firewall systems are used to enforce site-specific network security policy. A problem related to a failure to validate the checksum information of TCP traffic by default may be used by remote, unauthenticated attackers to create a sustained denial-of-service against PIX-protected systems under certain conditions.

This condition may occur when TCP SYN packets with malformed TCP checksums and spoofed source addresses and port values are sent to systems behind affected PIX firewalls. Since the PIX does not validate the TCP checksum by default, it allows such packets through, creating an embryonic connection entry to track the connection attempt to the destination from the spoofed source address and port. The target of the attack would silently drop malformed TCP SYN packets without sending TCP RST packets back to the PIX to remove the embryonic connection entry. Legitimate attempts to connect to PIX-protected systems may then be blocked for up to two minutes per attack (assuming default embryonic connection timer settings).

Note this attack would not affect established TCP connections.

Exploit code has been made publicly available that may automate a sustained denial-of-service attack described above.


Impact

Valid TCP connection attempts originating from the spoofed source IP and source ports during a sustained attack may not be allowed through affected PIX firewalls.


Solution


Several workarounds are publicly described by Cisco:

<http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_security_notice09186a008059a411.html>
<http://www.cisco.com/warp/public/707/cisco-response-20051122-pix.shtml>


Vendor Information

853540

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

Cisco Systems, Inc.

Updated: November 30, 2005

Status

__ Vulnerable

Vendor Statement

Please see <http://www.cisco.com/warp/public/707/cisco-response-20051122-pix.shtml> for the latest information regarding Cisco's response to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Cisco has also published information about this issue here:

<http://www.cisco.com/warp/public/707/cisco-response-20051122-pix.pdf>

cisco-response-20051122-pix.pdf

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

  • <http://www.cisco.com/warp/public/707/cisco-response-20051122-pix.shtml>
  • <http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_security_notice09186a008059a411.html>
  • <http://www.ciac.org/ciac/bulletins/q-062.shtml>
  • <http://secunia.com/advisories/17670/>
  • <http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038971.html>
  • <http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038983.html>

Credit

This document was written by Jeff S Havrilla.

Other Information

CVE IDs: | CVE-2005-3774
---|---
Severity Metric:** | 4.59
Date Public:
| 2005-11-22
Date First Published: | 2005-11-23
Date Last Updated: | 2005-12-01 00:58 UTC
Document Revision: | 12