Cisco Systems Product Security Incident Response Team wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Cisco Secure PIX Firewall TCP Reset Vulnerability
>
> Revision 1.0
>
> For Public Release 2000 July 11 06:00 US/Eastern (UTC+0400)
>
> ------------------------------------------------------------------------
>
> Summary
> =======
>
> The Cisco Secure PIX Firewall cannot distinguish between a forged TCP Reset
> (RST) packet and a genuine TCP RST packet. Any TCP/IP connection established
> through the Cisco Secure PIX Firewall can be terminated by a third party from
> the untrusted network if the connection can be uniquely determined. This
> vulnerability is independent of configuration. There is no workaround.
>
> This vulnerability exists in all Cisco Secure PIX Firewall software releases
> up to and including 4.2(5), 4.4(4), 5.0(3) and 5.1(1). The defect has been
> assigned Cisco bug ID CSCdr11711.
>
> This notice is posted on Cisco's Worldwide Web site at
> http://www.cisco.com/warp/public/707/pixtcpreset-pub.shtml.
>
> Affected Products
> =================
>
> Cisco Secure PIX Firewalls with software versions up to and including 4.2(5),
> 4.4(4), 5.0(3) and 5.1(1) are affected.
>
> No other products are vulnerable to this defect.
>
> Details
> =======
>
> When the Cisco Secure PIX Firewall receives a TCP Reset (RST) packet, it
> evaluates that packet based on data contained in the TCP packet header: source
> IP address, source port, destination IP address, and destination port. If
> these four values match an entry in the stateful inspection table, the
> associated connection will be reset. This affects only TCP sessions. Data
> exchange based on any other protocol is not affected.
>
> To exploit this vulnerability, an attacker would need to have or infer:
>
> * Detailed knowledge of the connection table in the Cisco Secure PIX
> Firewall prior to launching the attack
>
> Or
>
> * Detailed knowledge of the source and destination IP Address and ports
> associated with a particular connection to be attacked
>
> This particular vulnerability only affects the connection table (which keeps
> state regarding the connections being made through the device). It does not
> affect the translation table (in which address mappings are stored).
>
> Cisco Secure PIX Firewall software has been fixed so that it now checks for
> a valid sequence number before removing a connection from the connection
> state table.
>
> Impact
> ======
>
> Any Cisco Secure PIX Firewall that provides external access to the Internet
> and for which all of the preceding conditions are met is vulnerable to the
> disruption of individual sessions.
>
> Software Versions and Fixes
> ===========================
>
> For the version listed in the left-most column below, customers should upgrade
> to at least the version shown in the center column. Please note the hardware
> requirements following the table.
>
> +-----------------------------+--------------------------+---------------+
> | |Projected first fixed | |
> |Affected Version |regular release (fix will |Date Available |
> | |carry forward into all | |
> | |later versions) | |
> +-----------------------------+--------------------------+---------------+
> |All versions of Cisco Secure | | |
> |PIX up to version 4.2(5) | | |
> |(including 2.7, 3.0, 3.1, | 4.4(5) | 2000-06-09 |
> |4.0, 4.1) | | |
> +-----------------------------+--------------------------+---------------+
> |All 4.3.x and 4.4.x versions | | |
> |up to and including version | 4.4(5) | 2000-06-09 |
> |4.4(4) | | |
> +-----------------------------+--------------------------+---------------+
> |Version 5.0.x up to and | | |
> |including version 5.0(3) | 5.1(2) | 2000-06-09 |
> +-----------------------------+--------------------------+---------------+
> |Version 5.1.1 | 5.1(2) | 2000-06-09 |
> +-----------------------------+--------------------------+---------------+
>
> A 128MB upgrade for the PIX Firewall is necessary if:
>
> * Version 4.3 or 4.4 is used on a PIX 'Classic'
> (excluding PIX10000, PIX-510, PIX-520, and PIX-515)
>
> Or
>
> * Version 5.0 is used on a PIX 'Classic', PIX10000, or PIX-510
> (excluding PIX-520 and PIX-515)
>
> As with any new software installation, customers planning to upgrade should
> carefully read the release notes and other relevant documentation before
> beginning any upgrade. Also, it is important to be certain that the new
> version of Cisco Secure PIX Firewall software is supported by your hardware
> and especially that enough memory is available.
>
> Obtaining Fixed Software
> ========================
>
> Cisco is offering free software upgrades to remedy this vulnerability for all
> affected customers.
>
> Customers with contracts should obtain upgraded software through their regular
> update channels. For most customers, this means that upgrades should be
> obtained via the Software Center on Cisco's Worldwide Web site at
> http://www.cisco.com/.
>
> Customers without contracts should get their upgrades by contacting the Cisco
> Technical Assistance Center (TAC). TAC contacts are as follows:
>
> * +1 800 553 2447 (toll-free from within North America)
> * +1 408 526 7209 (toll call from anywhere in the world)
> * E-mail: [EMAIL PROTECTED]
>
> Additional contact information for the Cisco TAC for non-English speakers is
> available at http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.
>
> Give the URL of this notice as evidence of your entitlement to a free
> upgrade. Free upgrades for non-contract customers must be requested through
> the TAC. Please do not contact [EMAIL PROTECTED] or [EMAIL PROTECTED] for
> software upgrades.
>
> Workarounds
> ===========
>
> There are no workarounds for this defect. Customers are urged to upgrade to
> the versions of code containing the fix for CSCdr11711.
>
> Exploitation and Public Announcements
> =====================================
>
> Cisco has received no reports of malicious exploitation of this
> vulnerability. The vulnerability was reported to Cisco by a customer and has
> been discussed on BUGTRAQ, a public full-disclosure security mailing list.
>
> Status of This Notice: FINAL
> ============================
>
> This is a final notice. Although Cisco cannot guarantee the accuracy of all
> statements in this notice, all of the facts have been checked to the best of
> our ability. Cisco does not anticipate issuing updated versions of this notice
> unless there is some material change in the facts. Should there be a
> significant change in the facts, Cisco may update this notice.
>
> Distribution
> ============
>
> This notice is posted at
> http://www.cisco.com/warp/public/707/pixtcpreset-pub.shtml on Cisco's
> Worldwide Web site. A text version of this notice will be clear-signed with
> the latest Cisco PSIRT RSA PGP key and posted to the following e-mail
> recipients and Usenet newsgroups:
>
> * [EMAIL PROTECTED]
> * [EMAIL PROTECTED]
> * [EMAIL PROTECTED]
> * [EMAIL PROTECTED] (includes CERT/CC)
> * [EMAIL PROTECTED]
> * [EMAIL PROTECTED]
> * comp.dcom.sys.cisco
> * Various internal Cisco mailing lists
>
> Future updates of this notice, if any, will be placed on Cisco's Worldwide Web
> server, but may or may not be actively announced on mailing lists or
> newsgroups. Users concerned about this problem are encouraged to check the URL
> given above for any updates.
>
> Revision History
> ================
>
> +-------------+-----------+-----------------------+
> |Revision 1.0 |2000-07-11 |Initial public release |
> +-------------+-----------+-----------------------+
>
> Cisco Product Security Incident Assistance Process
> ==================================================
>
> The web page at
> http://www.cisco.com/warp/public/707/sec_incident_response.shtml describes how
> to report security vulnerabilities in Cisco products, obtain assistance with
> security incidents, and register to receive product security information from
> Cisco Systems, Inc., including instructions for press inquiries regarding
> Cisco Security Advisories and notices. This advisory is Cisco's official
> public statement regarding this vulnerability.
>
> ------------------------------------------------------------------------
>
> This notice is Copyright 2000 by Cisco Systems, Inc. This notice may be
> redistributed freely after the release date given at the top of the text,
> provided that redistributed copies are complete and unmodified, including
> all date and version information.
>
> ------------------------------------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.2
>
> iQEVAwUBOWq8JWiN3BRdFxkbAQH1/gf/TqT70Xfmfzcms086LUvHBQacBosYcR2I
> yjjMJ7iFGnt25USwwxglmQfFyfiQN9ZS+wNo/AYPnnC8Ykw4H2Z8iOW0xVXyq2G8
> XdeUB6O7IDhSpM4IOQ8XrJj1ApVboo4b4+sH8UJ140OMueWXNIUj/HMoCBT4YCxB
> i3YIc1UrKpiehhw+2K5LdfxuC0YZc5/DFjdNURMT9lvc65DdpuW33ScYxn7vxFY5
> KNukvwjo4ONORE6k5YmsZUcJyvSdko27gFuXqA587sixcE/47FugNGGnXSbtQnmj
> vnt09q6cHyDXtupyMvFxSnUGT9JonjWWyjMb5TRZIyNCTTSTNN7hXg==
> =/iiG
> -----END PGP SIGNATURE-----
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: PGP 6.5.2
>
> mQENAzhQ8qUCYQEIALshjezuQIzQT3zZrKrQit2HTNarH8iba6HLdN2niIDGW9LN
> ShhH0kPdD57EeOAkO2ccNvgY4HvJESgykBS6z86HULeiSVMv89TfQsKOv34cczYm
> BeYtcfbgkm4MM/37UjFxUGAIoOxVX/bzya/tegiYPAaTsOcaonxqaOds/kLIR32S
> /+3vcV6tu9QiiLwdKAGSN+KkrREP3qTFzKxmus1DKFz5o03yDMtYGplRQ62iae21
> I8NbQtVXvARN5bdG5+4KaqI9hsT/tz8dh8OgapdaD6ht0qkY8J2DGIa1xnai4Vbe
> hoz7Vozf65LErlbRWBVAn6XBD3qtaI3cFF0XGRsABRG0R0Npc2NvIFN5c3RlbXMg
> UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
> aXNjby5jb20+iQEVAwUQOFDypWiN3BRdFxkbAQEVgAf/Qins/ms1PNhD4ucJyGCY
> V60wz6hQX5FXCKxewSxPOMOxkbQeiNxqENYldTwH6RZ2eVXYJX0PKZjhUmpQCwg7
> aYQUv8GeROxQYlJx/j2FKmQcjIWLHQZImb7FxTFt0rgcCJI+ChGu8U3IqOmyeBmE
> 44qXxU/IGhJaXj8jIkSUxeKFQtI9JSxsfNiqX8itjeJlYTF8Y1MnTiuhikM3y7JM
> sQFzrKSzhzfPcc3RqDAtbwYtvmb+6/9IGkHks2hox5ltJZ5v2c4lbReEpmLweDSf
> enojuPPoPug8zRS/xa1uHzSZ3XKQwLWfjwZwGMzTTHOAiMWo6wlbhNnR4LlN/upv
> uIkARgQQEQIABgUCOFDzRAAKCRBwkpqcbcMYIVfZAJ4z5xm+IJuj+byK+gNsNY7X
> FK4THgCfS0n95c/Gxvu9tOvRFH+uwQh2dgGJAHUDBRA4UPNs3nAfbKMmz4kBAejY
> AvoD771l0JZWwf5XmoCWLL0ChzbdFJqTsnd2zG4jGr1J91dkES4YDir4itqyWVRA
> VFzalYCYouNPhOJZKLXUphQnAQ7x74cDznEw+MYT9eavbYcSeKkBZNEdjE3vf67x
> 4fSJAJUDBRA4UP5XwAV6rQ+eJbkBAX2CA/9GPlvk9EWTS54M6uTJCtC/6Bcx7phz
> InAUYEX7gjlBmNF7MdIy1UdUsNL2rTdR26peB6VwzT6uXRG+RbhpGVvfHdEmJ2ec
> brKaUmFisrVWB7Ho9NOo72xTru7GeJxGHb0xRcsDMCIYfyOCMvbr6lxMMAcD9zx3
> nMx4VDJ7RfSStrRQQ2lzY28gU3lzdGVtcyBQcm9kdWN0IFNlY3VyaXR5IEluY2lk
> ZW50IFJlc3BvbnNlIFRlYW0gPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT6JARUD
> BRA4UPL6aI3cFF0XGRsBAdYKCACIhd2yDPXITE2pQzukNo+jxrMeSnqvl4DUoP6f
> Ai64KLGYAqo+ZWuyFd1JLT5CtsaWuLXEBvt/9SevI/qbN18c9eSBko3wNcO49C+T
> s0uttahHplxMgArqTK8y1u35C7QUz0T9xRLPaKvXYARw3/wFdaPQYehrVWBThbxk
> KxJuamT3OT5uB7NgtkHK1nHpxuATj39EnvZSUTWe45ZBVulduGMG7grYRCQJ1jrG
> 2Ei0FO/adFKZU6DxSygwjWCM9Fdh/dncs00G7tXW8fpfIRmdsVZuYIQ7HPkoiUJF
> 87Hw+mdkZHiTAhPMuNO9AamZsIF65QcD4vera/zOXwU+MUcaiQBGBBARAgAGBQI4
> UPNYAAoJEHCSmpxtwxghi9gAn12vk1AazXrc9GVCdXC5oFpi1TmlAJ9BsHkWwGUr
> mLSAE3OE70LjxHHhDokAdQMFEDhQ84DecB9soybPiQEB2NoC/jSF5glFC5jfYjAp
> VMiZHgGZDA49lcf/VZDz7ZeJAkOtZZHzlycVAlCukLl0sXfIhgygmWj6WQPPIF2z
> COEjVgR625CRbYhrqC0H9ieWYJ3fu7GILoEb200GbSgUZifvq4kAlQMFEDhQ/mvA
> BXqtD54luQEBWzAD/31F6aic5ZV/u6HY/ChORildURolK8LfNTwwsmwN32ZcJOUb
> gSsU5cafE5XGaWvgVrPVKwAH9DFcviElBK+n7fhw+SRS5x+Ar8tZMKEgP5I9yIZX
> DHwNZmFdpmk95xoK4TvCd3iyj23HcaoAGroRtuVrv5UtBG9P+FDMxScgO/cR
> =sJ3p
> -----END PGP PUBLIC KEY BLOCK-----
--
Kevison Dennys Carrilho Bentes
[EMAIL PROTECTED]
Fone: 55 61 313-8002
Fax: 55 61 245-2558
|
