I think that Konstantin Gavrilenko from Arhont Ltd.- Information Security did an outstanding job of documenting a Cisco PIX TCP Connection Prevention vulnerability. Cisco's response to this vulnerability announcement is here. He has documented what could be termed a resource attack on the PIX; forcing the Firewall to expend unnecessary resources reacting to a scripted packet. This attack could potentially slow user connections through the Firewall and in the extreme worst case possibly cause the Firewall to reload but does not expose the protected network. Gavrilenko has done an excellent job of communicating this issue that his work uncovered. I think even novice PIX Admins will be able to understand his findings.
I'd strongly suggest that all PIX Admins read the report and also go over the Cisco response. This is the first response that I've seen since PIX OS v7 came out. Cisco PSIRT present work arounds for both the v6.x and v7.x PIX operating systems. The vulnerability can best be exploited by an attacker on a inside interface.
One caution after reading the Cisco response; the first work around suggests that issuing a "clear xlate" or "clear local-host " will allow the PIX to pass connections again. I hope that most PIX Admins will appreciate that "clear xlate" will affect all connections going through the PIX were "clear local-host ..." only clears a single connection. Admins should use the "clear xlate" with caution on production networks.
No comments:
Post a Comment