Cisco PIX/ASA DHCP Relay Agent Memory Leak Vulnerability

ID CISCO-SA-20070502-CVE-2007-2461
Type cisco
Reporter Cisco
Modified 2015-01-31T07:45:00


Cisco PIX and Adaptive Security Appliance (ASA) software versions 7.2(1) through 7.2(2.14) contain a vulnerability that could allow an unauthenticated, remote attacker to cause an affected device to stop forwarding traffic.

This vulnerability exists due to an error when handling specific DHCP packets under certain configurations. An unauthenticated, remote attacker could exploit this vulnerability by sending a large number of DHCP requests to the affected device, causing the device to consume available memory resources for processing traffic. When the device exhausts available memory, it ceases to forward traffic, resulting in a denial of service (DoS) condition.

Cisco has confirmed this vulnerability and released software updates.

In order to exploit this vulnerability, the attacker must control a system that is on the same subnet as an affected device configured with DHCP relay to more than one DHCP server. The vulnerability will manifest itself slowly under normal conditions, as legitimate clients request DHCP leases, so eventually the affected PIX or ASA device will cease to forward traffic. However, an attacker with access to a subnet with a vulnerable device in a vulnerable configuration can quickly cause the affected device to stop forwarding traffic by making repeated DHPC requests. But after the first request, the attacker's system will be granted a DHCP lease. In order to make additional requests that exploit this vulnerability, the attacker must alter the MAC address of the system's network card and then make a new request. This is possible, but it does require some skill or special tools, depending on the operating system used. It is unclear exactly how many times the attacker would need to make a DHCP request to fill up the affected memory space; however, every instance of a DHCP lease assignment will degrade performance on the device.

Users should note that even once the device has ceased to forward packets, an administrator could still connect to the console port to reboot the system or perform other administrative actions.

DHCP relay is not configured by default on the affected devices.

The Firewall Services Module (FWSM) is not affected by this vulnerability.