Guest

Product Support

Identifying and Mitigating Exploitation of the Cisco IPS SSL DoS and Fragmentation Packet Evasion

Advisory ID: cisco-amb-20060922-ips

http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20060922-ips

Revision 1.0

For Public Release 2006 September 22 16:00  UTC (GMT)


Contents

Cisco Response
Device Specific Mitigation and Identification
Additional Information
Revision History
Cisco Security Procedures
Related Information

Cisco Response

Vulnerability Characteristics

Two vulnerabilities exist within the Cisco Intrusion Prevention System (IPS). The first vulnerability is an SSL Denial of Service, which can be remotely exploited with no authentication and no user interaction. If successfully exploited, the IPS device will become unmanageable via the web administration interface and fail to report events to external management stations. Signatures that perform automated response actions requiring communications with external devices will not be able to execute these actions. The IPS device will still perform inspection, and issue TCP reset actions. If deployed inline, the IPS device will continue to perform drop and block response actions. The attack vector is through a malformed SSLv2 hello packet, and in a standard configuration will use TCP port 443. This vulnerability is not covered by a CVE ID.

The second vulnerability, a fragmented packet inspection evasion vulnerability, can be remotely exploited with no authentication and no user interaction. The attack target is likely to be hosts on the network that the IPS is monitoring. If successfully exploited the attacker may evade IPS inspection through a sequence of specially constructed IPv4 packets. This vulnerability is not covered by a CVE ID.

This document contains information to assist Cisco customers in mitigating attempts to exploit the Cisco Intrusion Prevention Systems (IPS) SSL Denial of Service and Fragmented Packet Inspection Evasion Vulnerabilities.

Vulnerable, non-affected, and fixed software information is available in the PSIRT Security Advisory at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20060920-ips.

Mitigation Technique Overview

Cisco devices provide several countermeasures for the SSL Denial of Service vulnerability. The most preventative control is provided via the application of access control lists directly to the IPS device.

Cisco Firewalls and Routers provide threat mitigation from non management IP addresses through the use of transit access lists. Cisco PIX, ASA, and FWSM firewalls provide effective mitigation for the fragmented packet inspection evasion vulnerability through default fragmentation reassembly behavior.

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of [this vulnerability|these vulnerabilities]. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-specific Mitigation and Identification

Specific information on mitigation and identification is available for these devices:

Cisco Intrusion Prevention System (IPS)

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Mitigation: SSL Denial of Service Vulnerability

Device Access Lists

Access control can be applied directly to the IPS/IDS device to limit access to the SSL web and management interface. In the following example 192.168.100.1 and 192.168.100.2 are the trusted management stations. This solution provides the most effective mitigation.

IPS 5.x

Sensor5x#conf t
Sensor5x (config)#service host
Sensor5x (config-hos)#network-settings
Sensor5x (config-hos-net)#access-list 192.168.100.1/32
Sensor5x (config-hos-net)#access-list 192.168.100.2/32
Sensor5x (config-hos-net)#exit
Sensor5x (config-hos)#exit
Apply Changes:?[yes]:yes

IDS 4.x

Sensor4x#conf t
Sensor4x(config)#service host
Sensor4x(config-Host)#networkParams
Sensor4x(config-Host-net)#accessList ipAddress 192.168.100.1
                       netmask 255.255.255.255
Sensor4x(config-Host-net)#accessList ipAddress 192.168.100.2
                       netmask 255.255.255.255
Sensor4x(config-Host-net)#exit
Sensor4x(config-Host)#exit
Apply Changes:?[yes]:yes

Identification: SSL Denial of Service Vulnerability

System Event Error Logs

IPS / IDS devices that have been attacked may have the following system log messages when mainApp fails. When mainApp fails, the device will stop responding to web request. This is the last event before mainApp failed. The test device was running software version 5.0(6). MainApp failure does not generate a system event on the IPS / IDS device.

Sensor5x #show events error past 00:02:00
evError: eventId=951860176378213093 severity=error vendor=Cisco
  originator:
    hostId: Sensor5x
    appName: cidwebserver
    appInstanceId: 512
  time: 2006/09/11 23:10:25 2006/09/11 23:10:25 UTC
  errorMessage: name=errUnclassified srvcReq protoErr: record_overflow [22,0]

In other instances, there may be the following grouping of events. This was from the same device that suffered mainApp failure.

Sensor5x #show events error past 00:02:00
evError: eventId=951866996378213266 severity=error vendor=Cisco
  originator:
    hostId: Sensor5x
    appName: cidwebserver
    appInstanceId: 688
  time: 2006/09/13 20:58:45 2006/09/13 20:58:45 UTC
  errorMessage: name=errUnclassified srvcReq protoErr: protocol_version [70,0]
evError: eventId=951866996378213267 severity=error vendor=Cisco
  originator:
    hostId: Sensor5x
    appName: cidwebserver
    appInstanceId: 480
  time: 2006/09/13 20:58:45 2006/09/13 20:58:45 UTC
  errorMessage: name=errTransport WebSession::sessionTask(9)
   TLS connection exception: handshake incomplete.

Signature Summary

Signature pack S249 contains signatures 5182.0 and 5182.1 to detect the SSL Denial of Service Vulnerability.

Internet Edge Routers

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Mitigation: SSL Denial of Service

Transit Access Lists

Transit control access lists (ACLs) can limit access to the SSL web and management interface of the IPS/IDS device. This is an effective means of providing defense in depth access control in addition to the access control capabilities of the IPS device. The following ACL is designed to permit access from trusted management stations and deny all other access. SSH, while not vulnerable, is included as part of the access list to include management console access to the device. In this example, the management station IP addresses are 192.168.100.1 and 192.168.100.2 while the IPS device IP address is 172.16.100.2.

Added access list entries should be implemented as part of a transit access control list that filters transit and edge traffic at network ingress points.

For more information on ACLs, refer to Transit Access Control Lists: Filtering at Your Edge.


!-- Allow SSL and SSH from trusted source addresses only.

access-list 150 permit tcp  host 192.168.100.1 host 172.16.100.2 eq 443
access-list 150 permit tcp  host 192.168.100.2 host 172.16.100.2 eq 443
access-list 150 permit tcp  host 192.168.100.1 host 172.16.100.2 eq 22
access-list 150 permit tcp  host 192.168.100.2 host 172.16.100.2 eq 22

!-- Block SSL and SSH from all other source addresses. !-- This is useful for identifying attack attempts. 
access-list 150 deny tcp any host 172.16.100.2 eq 443
access-list 150 deny tcp any host 172.16.100.2 eq 22

!-- Deny all other access to the IPS / IDS device.

access-list 150 deny ip any host 172.16.100.2

!-- Permit/deny other traffic in accordance with existing security policy.


interface serial 2/0
 ip access-group 150 in

Identification: SSL Denial of Service

Once the interface access list is applied to the ingress interface, the command show access-list <acl number> can be used to identify the number of packets being filtered. Filtered packets should be investigated to determine if they are attempts to exploit this issue.

Following is example output for the show access-list 150 command:

Edge-Router#show access-list 150
Extended IP access list 150
    10 permit tcp host 192.168.100.1 host 172.16.100.2 eq 443 (110 matches)
    20 permit tcp host 192.168.100.2 host 172.16.100.2 eq 443 (110 matches)
    30 permit tcp host 192.168.100.1 host 172.16.100.2 eq 22 (95 matches)
    40 permit tcp host 192.168.100.2 host 172.16.100.2 eq 22 (87 matches)
    50 deny tcp any host 172.16.100.2 eq 443 (18 matches)
    60 deny tcp any host 172.16.100.2 eq 22 (2 matches)
    70 deny ip any host 172.16.100.2 (9 matches)

In the above example, 18 SSL and 2 SSH packets have been dropped by the access list configured inbound on interface Serial 2/0.

Mitigation: Fragment Packet Inspection Evasion Vulnerability

Transit Access Lists

Access lists contain a fragment keyword that enables specialized handling of fragmented packets. This feature can be utilized to permit or deny non initial fragments matching the specified access list. In the following example, all non initial TCP and UDP fragments destined to the 172.16.100.0/24 internal network will be denied. If the deny statement is placed before any permit statements it will effectively filter out all non initial fragments. If fragments are required for certain devices to operate correctly access for these devices should be specified before the fragments keyword is used. While this is a functional solution, Cisco Firewalls provide a more effective solution.

Added access list entries should be implemented as part of a Transit Access Control List that filters transit and edge traffic at network ingress points.

For more information on ACLs, refer to Transit Access Control Lists: Filtering at Your Edge.


!-- Block all non-initial tcp fragments.

access-list 140 deny tcp any 172.16.100.0 0.0.0.255 fragments
access-list 140 deny udp any 172.16.100.0 0.0.0.255 fragments

!-- Permit/deny other traffic in accordance with existing security policy.


interface serial 2/0
  ip access-group 140 in

Identification: Fragment Packet Inspection Evasion Vulnerability

Once the interface access list is applied to the ingress interface, the command show access-list <acl number> can be used to identify the number of packets being filtered. Filtered packets should be investigated to determine if they are attempts to exploit this issue.

Following is example output for the show access-list 140 command:

Edge-Router#show access-list 140
Extended IP access list 140
    10 deny tcp any 172.16.100.0 0.0.0.255 fragments (10 matches)
    20 deny udp any 172.16.100.0 0.0.0.255 fragments (0 matches)

In the above example, 10 non initial fragmented TCP packets have been dropped by the access list configured inbound on interface Serial 2/0.

Cisco ASA and PIX Firewalls

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

PIX 6.x

Mitigation: SSL Denial of Service

Access Lists

Access control lists can limit access to the SSL web and management interface of the IPS device. This is an effective means of providing defense in depth access control in addition to the access control capabilities of the IPS device. The following ACL is designed to permit access only from trusted management stations and deny all other access. SSH, while not vulnerable, is included as part of this access list to guarantee management access to the device console. In this example, the management station IP addresses are 192.168.100.1 and 192.168.100.2, while the IPS device IP address is 172.16.100.2.


!-- Allow access from trusted management sources for SSL and SSH.

access-list ips-ssl permit tcp host 192.168.100.1 host 172.16.100.2 eq https
access-list ips-ssl permit tcp host 192.168.100.2 host 172.16.100.2 eq https
access-list ips-ssl permit tcp host 192.168.100.2 host 172.16.100.2 eq ssh
access-list ips-ssl permit tcp host 192.168.100.1 host 172.16.100.2 eq ssh

!-- Deny access from all other sources for SSL and SSH.

access-list ips-ssl deny ip any host 172.16.100.2 eq http
access-list ips-ssl deny ip any host 172.16.100.2 eq ssh

!-- Deny all other access to the IPS / IDS device.

access-list ips-ssl deny ip any host 172.16.100.2

!-- Permit/deny other traffic in accordance with existing security policy.

access-group ips-ssl in interface outside

Identification: SSL Denial of Service

pix-525(config)#show access-list ips-ssl
access-list ips-ssl; 7 elements
access-list ips-ssl line 1 Allow access from trusted management sources for SSL and SSH
access-list ips-ssl line 2 permit tcp host 192.168.100.1 host 172.16.100.2 eq https (hitcnt=209)
access-list ips-ssl line 3 permit tcp host 192.168.100.2 host 172.16.100.2 eq https (hitcnt=209)
access-list ips-ssl line 4 permit tcp host 192.168.100.2 host 172.16.100.2 eq ssh (hitcnt=27)
access-list ips-ssl line 5 permit tcp host 192.168.100.1 host 172.16.100.2 eq ssh (hitcnt=15)
access-list ips-ssl line 6 deny ip any host 172.16.100.2 eq https(hitcnt=46)
access-list ips-ssl line 7 deny ip any host 172.16.100.2 eq ssh (hitcnt=0)
access-list ips-ssl line 7 deny ip any host 172.16.100.2 (hitcnt=0)

Mitigation: Fragmented Packet Inspection Evasion Vulnerability

The Cisco PIX Firewall in a default configuration will provide mitigation against the fragmented IPv4 packet inspection evasion vulnerability. Therefore, any IPS device that is screened by a Cisco firewall should only be vulnerable to evasion techniques that do not traverse the firewall.

Identification: Fragmented Packet Inspection Evasion Vulnerability

Attempts to exploit the fragmented packet inspection evasion vulnerability will create the following syslog message: "106020 (Deny IP teardrop fragment)".

106020: Deny IP teardrop fragment (size = 40, offset = 0)
  from 192.168.2.112 to 172.16.100.5

For more information, refer to Cisco PIX Firewall System Log Message 106020.

PIX/ASA 7.x

Mitigation: SSL Denial of Service

Access Lists

Access control lists can limit access to the SSL web and management interface of the IPS device. This is an effective means of providing defense in depth access control in addition to the access control capabilities of the IPS device. The following ACL is designed to permit access only from trusted management stations and deny all other access. SSH, while not vulnerable, is included as part of this access list to guarantee management access to the device console. In this example, the management stations IP addresses are 192.168.100.1 and 192.168.100.2, while the IPS device IP address is 172.16.100.2.


!-- Allow access from trusted management sources for SSL and SSH.

access-list ips-ssl extended permit tcp host 192.168.100.1 host 172.16.100.2 eq https
access-list ips-ssl extended permit tcp host 192.168.100.2 host 172.16.100.2 eq https
access-list ips-ssl extended permit tcp host 192.168.100.2 host 172.16.100.2 eq ssh
access-list ips-ssl extended permit tcp host 192.168.100.1 host 172.16.100.2 eq ssh

!-- Deny access from non trusted sources for SSL and SSH.

access-list ips-ssl extended deny ip any host 172.16.100.2 eq https
access-list ips-ssl extended deny ip any host 172.16.100.2 eq ssh

!-- Deny all other access to the IPS / IDS device.

access-list ips-ssl extended deny ip any host 172.16.100.2

!-- Permit /Deny other traffic in accordance with existing security policy.

access-group ips-ssl in interface outside

Identification: SSL Denial of Service

R4-ASA5520a#show access-list ips-ssl
access-list ips-ssl; 7 elements
access-list ips-ssl line 1 Allow access from trusted management sources for SSL and SSH
access-list ips-ssl line 2 extended permit tcp host 192.168.100.1 host 172.16.100.2 eq https (hitcnt=209)
access-list ips-ssl line 3 extended permit tcp host 192.168.100.2 host 172.16.100.2 eq https (hitcnt=209)
access-list ips-ssl line 4 extended permit tcp host 192.168.100.2 host 172.16.100.2 eq ssh (hitcnt=44)
access-list ips-ssl line 5 extended permit tcp host 192.168.100.1 host 172.16.100.2 eq ssh (hitcnt=10)
access-list ips-ssl line 6 extended deny tcp any host 172.16.100.2 eq https (hitcnt=22)
access-list ips-ssl line 7 extended deny tcp any host 172.16.100.2 eq ssh (hitcnt=10)
access-list ips-ssl line 8 extended deny tcp any host 172.16.100.2 (hitcnt=33)

Mitigation: Fragmented Packet Inspection Evasion Vulnerability

Cisco PIX and ASA security appliances in a default configuration will provide mitigation against the fragmented IPv4 packet inspection evasion vulnerability. Therefore, any IPS device that is screened by a Cisco firewall should only be vulnerable to evasion techniques that do not traverse the firewall.

Identification: Fragmented Packet Inspection Evasion Vulnerability

Attempts to exploit the fragmented packet inspection evasion vulnerability will create the following syslog message: "106020 (Deny IP teardrop fragment)".

%ASA-2-106020: Deny IP teardrop fragment
  (size = 20, offset = 0) from 192.168.2.112 to 172.16.100.5

For more information, refer to Cisco Security Appliance System Log Message 106020.

Firewall Services Module

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Mitigation: SSL Denial of Service

Access Lists

Access control lists can limit access to the SSL web and management interface of the IPS device. This is an effective means of providing defense in depth access control in addition to the access control capabilities of the IPS device. The following ACL is designed to permit access only from trusted management stations and deny all other access. SSH, while not vulnerable, is included as part of this access list to guarantee management access to the device console. In this example, the management station IP addresses are 192.168.100.1 and 192.168.100.2, while the IPS device IP address is 172.16.100.2.


!-- Allow access from trusted management sources for SSL and SSH.

access-list ips-ssl extended permit tcp host 192.168.100.1 host 172.16.100.2 eq https
access-list ips-ssl extended permit tcp host 192.168.100.2 host 172.16.100.2 eq https
access-list ips-ssl extended permit tcp host 192.168.100.2 host 172.16.100.2 eq ssh
access-list ips-ssl extended permit tcp host 192.168.100.1 host 172.16.100.2 eq ssh

!-- Deny access from all other sources for SSL and SSH.

access-list ips-ssl extended deny ip any host 172.16.100.2 eq https
access-list ips-ssl extended deny ip any host 172.16.100.2 eq ssh

!-- Deny all other access to the IPS / IDS device.

access-list ips-ssl extended deny ip any host 172.16.100.2

!-- Permit/deny other traffic in accordance with existing security policy.

access-group ips-ssl in interface outside

Identification: SSL Denial of Service

FWSM#show access-list ips-ssl
access-list ips-ssl; 7 elements
access-list ips-ssl line 1 Allow access from trusted management sources for SSL and SSH
access-list ips-ssl line 2 extended permit tcp host 192.168.100.1 host 172.16.100.2 eq https (hitcnt=291)
access-list ips-ssl line 3 extended permit tcp host 192.168.100.2 host 172.16.100.2 eq https (hitcnt=290)
access-list ips-ssl line 4 extended permit tcp host 192.168.100.2 host 172.16.100.2 eq ssh (hitcnt=53)
access-list ips-ssl line 5 extended permit tcp host 192.168.100.1 host 172.16.100.2 eq ssh (hitcnt=14)
access-list ips-ssl line 6 extended deny tcp any host 172.16.100.2 eq https (hitcnt=22)
access-list ips-ssl line 7 extended deny tcp any host 172.16.100.2 eq ssh (hitcnt=0)
access-list ips-ssl line 8 extended deny ip any host 172.16.100.2 (hitcnt=0)

Mitigation: Fragmented Packet Inspection Evasion Vulnerability

By default, fragmented packets cannot traverse the FWSM. Effective mitigation is provided against the fragmented packet inspection vulnerability as long as the IPS device is screened by FWSM.

Identification: Fragmented Packet Inspection Evasion Vulnerability

Attempts to exploit the fragmented packet inspection evasion vulnerability will create the following syslog message: "106020 (Deny IP teardrop fragment)".

%FWSM-2-106020: Deny IP teardrop fragment
  (size = 20, offset = 0) from 192.168.1.112 to 172.16.100.5

For more information, refer to Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Logging Configuration and System Log Message 106020.

Cisco IPS Management and Reporting Applications

Identification: SSL Denial of Service

Cisco CS-MARS will report an inactive reporting device after one hour where no events have been received. The IP 10.89.236.158 is the nonreporting IPS device.

cisco-amb-20060922-ips-01.gif

Cisco CSM will report failed HTTP requests when attempting to query the device for statistics or events. The IP 10.89.236.158 is the nonreporting IPS device.

cisco-amb-20060922-ips-02.gif

Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Revision History

Revision 1.0

2006-September-22

Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

Related Information