|
|
|
|
| |
Credit:
The information has been provided by Cisco Systems Product Security Incident Response Team.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml
|
| |
Vulnerable Products
The FWSM is vulnerable if running System Software version 3.2(3).
To determine if the FWSM is vulnerable, issue the show module command-line interface (CLI) command from Cisco IOS or Cisco CatOS to identify what modules and sub-modules are installed in the system.
The following example shows a system with a Firewall Service Module (WS-SVC-FWM-1) installed in slot 4.
switch#show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ----------------- -----------
1 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX SAxxxxxxxxx
4 6 Firewall Module WS-SVC-FWM-1 SAxxxxxxxxx
5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE SAxxxxxxxxx
6 2 Supervisor Engine 720 (Hot) WS-SUP720-BASE SAxxxxxxxxx
After locating the correct slot, issue the show module command to identify the software version that is running.
switch#show module 4
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ----------------- -----------
4 6 Firewall Module WS-SVC-FWM-1 SAxxxxxxxxx
Mod MAC addresses Hw Fw Sw Status
--- --------------------------------- ------ ------------ ------------ -------
4 0003.e4xx.xxxx to 0003.e4xx.xxxx 3.0 7.2(1) 3.2(3) Ok
The preceding example shows that the FWSM is running version 3.2(3) as indicated by the column under "Sw" above.
Note: Recent versions of Cisco IOS will show the software version of each module in the output from the show module command; therefore, executing the show module command is not necessary.
Alternatively, the information can also be obtained directly from the FWSM through the show version command as seen in the following example.
FWSM#show version
FWSM Firewall Version 3.2(3)
Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following example.
FWSM Version: 3.2(3)
Products Confirmed Not Vulnerable:
* FWSM System Software versions 3.2(2) and earlier.
* FWSM System Software versions 3.1(x).
* FWSM System Software versions 1.x(y) and 2.x(y).
* Cisco PIX 500 Series Security Appliance (PIX).
* Cisco 5500 Series Adaptive Security Appliance (ASA).
Details:
A vulnerability exists in the processing of data in the control-plane path with Layer 7 Application Inspections, that may result in a reload of the FWSM. The vulnerability can be triggered with standard network traffic, which is passed through the Application Layer Protocol Inspection process.
The only FWSM release affected by this vulnerability is FWSM System Software version 3.2(3).
Impact:
Successful exploitation of the vulnerability may result in a reload of the FWSM. Repeated exploitation will result in a sustained denial of service attack.
Workarounds:
Disable the TCP Normalizing Function
Disabling the TCP normalizing function in the FWSM will mitigate this vulnerability.
The TCP normalizer performs the following action:
For traffic that passes through the control-plane path, such as packets that require Layer 7 inspection or management traffic, the FWSM sets the maximum number of out-of-order packets that can be queued for a TCP connection to two packets. The TCP normalizer is enabled by default and is not configurable except to enable or disable.
To disable the TCP normalizing function, use the no control-point tcp-normalizer command in global configuration mode, as shown in the following example.
FWSM# config terminal
FWSM(config)# no control-point tcp-normalizer
FWSM(config)#
FWSM#
Disabling the "control-point tcp-normalizer" will prevent strict TCP checks, such as detecting out-of-sequence segments and monitoring TCP options, on the TCP packets received on the Control Plane for Layer 7 inspection in the FWSM, will not be performed. The feature should be re-enabled after upgrading to a fixed version of software.
CVE Information:
CVE-2007-5584
|
|
|
|
|
