SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Device (Firewall)  >  Cisco PIX Firewall Vendors:  Cisco
(Vendor Issues Fix) Cisco PIX Firewall Lets Remote Users Block TCP Connections By Spoofing Packets with Invalid Checksums
SecurityTracker Alert ID:  1015737
SecurityTracker URL:  http://securitytracker.com/id?1015737
CVE Reference:  CVE-2005-3774   (Links to External Site)
Date:  Mar 7 2006
Impact:  Denial of service via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  Cisco Security Advisory
Version(s): 6.3 and prior, 7.0
Description:  A vulnerability was reported in Cisco PIX Firewall. A remote user can cause TCP connections to be blocked.

A remote user can send a TCP SYN packet with an invalid checksum through the target firewall to cause the firewall to block new TCP connections using the same source and destination TCP ports and IP addresses. The remote user's packets are silently discarded because of the invalid checksum.

Connections will be blocked until the embryonic connection timeout occurs (the default setting is 30 seconds).

PIX software version 6.3 does not verify the TCP checksum of the packet and will let the packet pass through the firewall. As a result, the half-open TCP connection will be held open until the embryonic timeout occurs (two minutes is the default setting).

Cisco has assigned Cisco Bug IDs CSCsc14915 (for PIX 6.3) and CSCsc16014 (for IPX 7.0) to this vulnerability.

Cisco notes that all firewall interfaces may be affected but that TCP connections originating from higher security level interfaces (e.g., internal interfaces) to lower security level interfaces (e.g., external interfaces) may create the most impact. [Editor's note: This is because those connections are permitted by default, while connections from the external interfaces are denied by default. If there are any explicitly permitted connections from external interfaces, those connections may also have a significant impact.]

The vendor was notified on October 10, 2005.

Konstantin V. Gavrilenko of Arhont Ltd. reported this vulnerability.

The original report is available at:

http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038971.html
Impact:  A remote user can silently block TCP connections from being permitted through the firewall.
Solution:  Cisco has issued fixed versions (6.3(5.106), 7.0(4.005), and 7.1(1)).

The vendor's updated security notice is available at:

http://www.cisco.com/warp/public/707/cisco-sr-20060307-pix.shtml
Vendor URL:  www.cisco.com/warp/public/707/cisco-sr-20060307-pix.shtml (Links to External Site)
Cause:  State error

Message History:   This archive entry is a follow-up to the message listed below.
Nov 23 2005 Cisco PIX Firewall Lets Remote Users Block TCP Connections By Spoofing Packets with Invalid Checksums


 Source Message Contents
Date:  Tue, 7 Mar 2006 18:40:03 -0500
Subject:  Cisco Security Notice: Response to Cisco PIX embryonic state machine TTL(n-1) DoS and Cisco PIX embryonic state machine 1b data DoS

 
 
 
http://www.cisco.com/warp/public/707/cisco-sr-20060307-pix.shtml


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC