Security Advisory 05.11.02:
Title : Cisco PIX SSH/telnet DOS vulnerability CSCdy51810 Reporter : Nils Reichen LANexpert SA Affected software : PIX OS 6.2.2 (and probably old version) Risk : High Date : November 5, 2002 URL: Full description should be posted in few days on http://www.giac.org/GCIA.php
A vulnerability in the TCP/IP stack allow a remote attacker run a denial of service attack against the PIX firewall.
This vulnerability is due to a wrong handling of the subnet address by the PIX OS stack. If the SSH or telnet daemon is used, the PIX will answer to connection request sent to the subnet address. The use of the subnet address as destination bypass the allowed other filter.
DDOS attack exploiting this vulnerability may produce memory fragmentation.
 Affected software
Version 6.2.2 has been confirmed as vulnerable. Older versions have not been confirmed, but due to the stack level of this vulnerability, they could be supposed vulnerable.
Interim build 220.127.116.11 is available for Cisco customer/partner through the Cisco Technical Assistance Center http://www.cisco.com/tac
 Testing environments
PIX 515 OS version 6.2.2 Only few inside hosts allowed to access the PIX using SSH / telnet Naptha tool v1.1 from BindView's RAZOR Security Team
 Required Knowledge
TCP PIX firewall
 Technical Details
The PIX firewall respond to TCP SYN packet sent to the subnet address (first IP of the subnet) for SSH and telnet service. This behavior is seen if at least one inside host is allowed to access the PIX using SSH and/or telnet. In this case, the TCP three-way handshaking will be completed for any external host targeting the subnet address.
Test conduced with the Naptha tool v1.1 (from BindView's RAZOR team) show the free memory counter displayed with the "show memory" decreasing. This test was performed by opening TCP connections using subnet address as destination and never close it. The "show memory" command shows the largest contiguous free memory.
During the test using one attacker host, the free memory shown decreased at 8kbytes/sec.
A DDOS attack may lead to fragment all the free memory.
TCPdump trace: 07:32:38.409393 18.104.22.168.4268 > MY.NET.97.128.22: S 1381191936:1381191936(0) win 32120 <mss 1460,sackOK,timestamp 542804848[|tcp]> (DF) (ttl 48, id 33829, len 60) 07:32:38.409556 MY.NET.97.128.22 > 22.214.171.124.4268: S [tcp sum ok] 872965664:872965664(0) ack 1381191937 win 4096 <mss 1460> (ttl 255, id 6173, len 44) 07:32:38.452593 126.96.36.199.4268 > MY.NET.97.128.22: . [tcp sum ok] 1:1(0) ack 1 win 32120 (DF) (ttl 48, id 33831, len 40) 07:32:38.453312 MY.NET.97.254.22 > 188.8.131.52.4268: P 872965665:872965684(19) ack 1381191937 win 4096 (ttl 255, id 6174, len 59) 07:32:38.497426 184.108.40.206.4268 > MY.NET.97.254.22: R [tcp sum ok] 1381191937:1381191937(0) win 0 (ttl 239, id 33833, len 40) 07:32:48.482733 220.127.116.11.4268 > MY.NET.97.128.22: F [tcp sum ok] 1:1(0) ack 1 win 32120 (DF) (ttl 48, id 34171, len 40)
 Exploit Code
Not included in this advisory on purpose
Filter inbound SSH and telnet traffic targeted to the PIX external subnet address and interface address on the upstream router.
Aug 28, 2002 Issue discovered Aug 30, 2002 Vendor notified, Cisco Systems PSIRT team notified by the TAC Sep 03, 2002 Vendor confirmed the issue, bug referenced: CSCdy51810 Sep 04, 2002 IDS Europe mailing list notified Sep 13, 2002 New build with fix available Nov 05, 2002 Public disclosure on Bugtraq mailing list
 Correlation / Vendor status No Common Vulnerabilities and Exposures (CVE) identification assigned now
Vendor referenced ID for this issue: CSCdy51810 New OS build with patch released: 18.104.22.168
Vendor don't have plans to issue security advisory, vendor PSIRT (Product Security Incident Response Team) is considering the problem as "unexpected behavior".
Discovery and exploitation Research: Nils Reichen GCIA CCIE#6763 email@example.com
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author or an entity where he belongs be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Please send suggestions, updates, and comments to: Nils Reichen LANexpert SA http://www.lanexpert.ch/ Official : firstname.lastname@example.org