Cisco PIX 500 Series Security Appliances

Document ID: 59676

Revision 1.0

Last Updated 2002 November 11

Contents

Summary
Details
Cisco Security Procedures

Summary

This document is provided to simplify access to Cisco responses to possible product security vulnerability issues posted in public forums for Cisco customers. This does not imply that Cisco perceives each of these issues as an actual product security vulnerability. This notice is provided on an "as is" basis and does not imply any kind of guarantee or warranty. Your use of the information on the page or materials linked from this page are at your own risk. Cisco reserves the right to change or update this page without notice at any time.

Details

Original Report: http://www.securityfocus.com/archive/1/299046 . Cisco responded with the following, which is also archived at http://www.securityfocus.com/archive/1/299253 .

To: BugTraq 
Subject: Re: Cisco PIX SSH/telnet dDOS vulnerability CSCdy51810
Date: Nov 11 2002 5:52PM 
Author: Sharad Ahlawat <sahlawat@cisco.com>
Message-ID: <200211110952.55546.sahlawat@cisco.com>
In-Reply-To: <20021105212004.8196.qmail@mail.securityfocus.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This email is in response to the BugTraq posting at 
http://online.securityfocus.com/archive/1/299046

There are two issues in the original email which are addressed below.

1) The TCP stack on the PIX is non RFC compliant in responding to TCP packets 
destined to the network broadcast address. 

One could craft a telnet/ssh client to connect to the PIX by sending requests 
to the network broadcast address of the subnet the PIX is connected to. Even 
if one was able to connect to the PIX, by using such a crafted client, one 
would still need an account/password to gain access to the PIX.

Security of the PIX is not compromised.

A router does not allow directed broadcasts by default so such behavior can 
only be experienced on the local subnet. If directed broadcast is required 
for a subnet then using the ACL option of the directed broadcast command on 
the router, TCP directed broadcasts can be filtered out for the subnet.

This nonconformant behavior is being fixed in all upcoming PIX releases by 
allowing new TCP sessions to be created only if the packet was sent to the 
PIX interface address. Packets sent to the broadcast or subnet address would 
be dropped.

2) PIX releases unused memory and will allocate memory using a best fit scheme 
which will reuse freed chunks of memory. When allocating memory, the PIX will 
first attempt to re-use memory that was freed and not part of the contiguous 
heap.
  
Cisco has performed additional testing and confirms that no fragmentation or 
memory leaks are seen based on the attack described in this report.

- -- 
Sharad Ahlawat
Cisco Product Security Incident Response Team (PSIRT)
http://www.cisco.com/go/psirt
Phone:+1 (408) 527-6087
PGP-key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC12A996C
-----BEGIN PGP SIGNATURE-----
Comment: Sharad Ahlawat - PGP Fingerprint: 9A93 2A20 43E5 7F01 2954  C427 1A81 A898
C12A 996C

iD8DBQE9z+5uGoGomMEqmWwRAkutAKDrIibzMoFWk/7jNLYxrLnE68Oh8wCgxDWI
ZpPJruButb2d+Kz8EIDTHO4=
=P3Yk
-----END PGP SIGNATURE-----

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.