Good Disclosure...

I think that Konstantin Gavrilenko from Arhont Ltd.- Information Security did an outstanding job of documenting a Cisco PIX TCP Connection Prevention vulnerability. Cisco's response to this vulnerability announcement is here. He has documented what could be termed a resource attack on the PIX; forcing the Firewall to expend unnecessary resources reacting to a scripted packet. This attack could potentially slow user connections through the Firewall and in the extreme worst case possibly cause the Firewall to reload but does not expose the protected network. Gavrilenko has done an excellent job of communicating this issue that his work uncovered. I think even novice PIX Admins will be able to understand his findings.

I'd strongly suggest that all PIX Admins read the report and also go over the Cisco response. This is the first response that I've seen since PIX OS v7 came out. Cisco PSIRT present work arounds for both the v6.x and v7.x PIX operating systems. The vulnerability can best be exploited by an attacker on a inside interface.

One caution after reading the Cisco response; the first work around suggests that issuing a "clear xlate" or "clear local-host " will allow the PIX to pass connections again. I hope that most PIX Admins will appreciate that "clear xlate" will affect all connections going through the PIX were "clear local-host ..." only clears a single connection. Admins should use the "clear xlate" with caution on production networks.

Updated SANS top Twenty Vulnerabilities

The folks over at SANS.org released version 6 of their Top Twenty List of Critical Security Vulnerabilities today. When SANS started publishing their lists I always advised security analysts and in particular Firewall admins to strongly consider these vulnerabilities when creating and maintaining Firewall rules. Some time back the folks that compile the list started breaking out Windows vulnerabilities from others. Something that is new to the list this year is that the SANS team has further structured the list so as to look at Windows, networking, and cross platform ( or web application) vulnerabilities.

Black Hat no more?

I don't know if anyone saw this coming; Black Hat was acquired by CMP Media for about $10 million dollars. I know that when you look at the web site Black Hat lists consulting services available but I had never actually read anything about work they might have done. The Black Hat conference is the premiere annual security event. I think everyone is asking the question will Black Hat be able to maintain it's edge as part of a much larger (and seemingly much more conservative) media company? What's next, Ozzie Osbourne's music library being acquired by the Osmonds?