Thursday, December 20, 2007

[NEWS] Application Inspection Vulnerability in Cisco Firewall Services Module

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Application Inspection Vulnerability in Cisco Firewall Services Module
------------------------------------------------------------------------


SUMMARY

A vulnerability exists in the Cisco Firewall Services Module (FWSM) "a
high-speed, integrated firewall module for Cisco Catalyst 6500 switches
and Cisco 7600 Series routers, that may result in a reload of the FWSM".
The only affected FWSM System Software Version is 3.2(3).

There are no known instances of intentional exploitation of this issue.
However, Cisco has observed data streams that appear to be unintentionally
triggering this vulnerability.

DETAILS

Vulnerable Products
The FWSM is vulnerable if running System Software version 3.2(3).

To determine if the FWSM is vulnerable, issue the show module command-line
interface (CLI) command from Cisco IOS or Cisco CatOS to identify what
modules and sub-modules are installed in the system.

The following example shows a system with a Firewall Service Module
(WS-SVC-FWM-1) installed in slot 4.

switch#show module
Mod Ports Card Type Model
Serial No.
--- ----- -------------------------------------- -----------------
-----------
1 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX
SAxxxxxxxxx
4 6 Firewall Module WS-SVC-FWM-1
SAxxxxxxxxx
5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE
SAxxxxxxxxx
6 2 Supervisor Engine 720 (Hot) WS-SUP720-BASE
SAxxxxxxxxx

After locating the correct slot, issue the show module command to
identify the software version that is running.

switch#show module 4
Mod Ports Card Type Model
Serial No.
--- ----- -------------------------------------- -----------------
-----------
4 6 Firewall Module WS-SVC-FWM-1
SAxxxxxxxxx

Mod MAC addresses Hw Fw Sw
Status
--- --------------------------------- ------ ------------
------------ -------
4 0003.e4xx.xxxx to 0003.e4xx.xxxx 3.0 7.2(1) 3.2(3)
Ok

The preceding example shows that the FWSM is running version 3.2(3) as
indicated by the column under "Sw" above.

Note: Recent versions of Cisco IOS will show the software version of each
module in the output from the show module command; therefore, executing
the show module command is not necessary.

Alternatively, the information can also be obtained directly from the FWSM
through the show version command as seen in the following example.

FWSM#show version
FWSM Firewall Version 3.2(3)

Customers who use the Cisco Adaptive Security Device Manager (ASDM) to
manage their devices can find the version of the software displayed in the
table in the login window or in the upper left corner of the ASDM window.
The version notation is similar to the following example.

FWSM Version: 3.2(3)

Products Confirmed Not Vulnerable:
* FWSM System Software versions 3.2(2) and earlier.
* FWSM System Software versions 3.1(x).
* FWSM System Software versions 1.x(y) and 2.x(y).
* Cisco PIX 500 Series Security Appliance (PIX).
* Cisco 5500 Series Adaptive Security Appliance (ASA).

Details:
A vulnerability exists in the processing of data in the control-plane path
with Layer 7 Application Inspections, that may result in a reload of the
FWSM. The vulnerability can be triggered with standard network traffic,
which is passed through the Application Layer Protocol Inspection process.

The only FWSM release affected by this vulnerability is FWSM System
Software version 3.2(3).

Impact:
Successful exploitation of the vulnerability may result in a reload of the
FWSM. Repeated exploitation will result in a sustained denial of service
attack.

Workarounds:
Disable the TCP Normalizing Function
Disabling the TCP normalizing function in the FWSM will mitigate this
vulnerability.

The TCP normalizer performs the following action:

For traffic that passes through the control-plane path, such as packets
that require Layer 7 inspection or management traffic, the FWSM sets the
maximum number of out-of-order packets that can be queued for a TCP
connection to two packets. The TCP normalizer is enabled by default and is
not configurable except to enable or disable.

To disable the TCP normalizing function, use the no control-point
tcp-normalizer command in global configuration mode, as shown in the
following example.

FWSM# config terminal
FWSM(config)# no control-point tcp-normalizer
FWSM(config)#
FWSM#

Disabling the "control-point tcp-normalizer" will prevent strict TCP
checks, such as detecting out-of-sequence segments and monitoring TCP
options, on the TCP packets received on the Control Plane for Layer 7
inspection in the FWSM, will not be performed. The feature should be
re-enabled after upgrading to a fixed version of software.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5584>
CVE-2007-5584


ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml>

http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

2 comments:

  1. Anonymous8:42 AM

    Hi. Good work. I will probably subscribe to your site in order to read the updates.

    ReplyDelete
  2. Anonymous2:03 AM

    I am very glad to read your new posts! They are so great, and you are very creative! The world is but a canvas to the imagination.

    ReplyDelete