|
|
|
|
| |
Credit:
The information has been provided by Cisco PSIRT.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml
|
| |
Vulnerable Systems:
* Cisco Catalyst 6500 Series Switches
* Cisco 7600 Series Routers
The Cisco FWSM is a high-speed, integrated firewall module for Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The FWSM offers firewall services with stateful packet filtering and deep packet inspection.
A vulnerability exists in the Cisco FWSM Software that may cause the FWSM to stop forwarding traffic between interfaces, or stop processing traffic that is directed at the FWSM (management traffic) after multiple, crafted ICMP messages are processed by the FWSM. Any traffic that transits or is directed towards the FWSM is affected, regardless of whether ICMP inspection ("inspect icmp" command under Class configuration mode) is enabled.
The FWSM stops processing traffic because one of the Network Processors (NPs) that is used by the FWSM to handle traffic may use all available execution threads while handling a specific type of crafted ICMP messages. This behavior limits the execution threads that are available to handle additional traffic.
Administrators may be able to determine if the FWSM has been affected by this vulnerability by issuing the "show np 2 stats" command. If this command produces output showing various counters and their values, as shown in the example CLI output that follows, the FWSM has not been affected by the vulnerability. If the command returns a single line that reads "ERROR: np_logger_query request for FP Stats failed", the FWSM may have been affected by the vulnerability.
FWSM#show np 2 stats
-
-------------------------------------------------------------------------------
Fast Path 64 bit Global Statistics Counters (NP-2)
-
-------------------------------------------------------------------------------
PKT_MNG: total packets (dot1q) rcvd : 10565937
PKT_MNG: total packets (dot1q) sent : 4969517
PKT_MNG: total packets (dot1q) dropped : 65502
PKT_MNG: TCP packets received : 0
PKT_MNG: UDP packets received : 4963509
PKT_MNG: ICMP packets received : 0
PKT_MNG: ARP packets received : 2
PKT_MNG: other protocol pkts received : 0
PKT_MNG: default (no IP/ARP) dropped : 0
SESS_MNG: sessions created : 18
SESS_MNG: sessions embryonic to active : 0
[...]
An FWSM that stops processing traffic as a result of this vulnerability will need to be reloaded. Administrators can reload the FWSM from the supervisor of the Catalyst 6500 Series Switch or the Cisco 7600 Series Router by issuing the command "hw-module module reset" (Cisco IOS Software), or "set module power up| down " (Cisco CatOS Software). Note that unless the FWSM software is updated to a non-vulnerable version, or crafted ICMP messages are blocked (see the Workarounds section for details), the FWSM can still be subject to exploitation (intentional or otherwise) after a reload.
If an FWSM that is configured for failover operation encounters this issue, the active FWSM may not properly fail over to the standby FWSM.
IPv6 (in particular ICMPv6) cannot trigger this vulnerability.
Patch Availability:
Cisco has released free software updates that address this vulnerability.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml
Workarounds
There are no workarounds for this vulnerability. Access control lists (ACLs) that are deployed on the FWSM itself to block through-the-device or to-the-device ICMP messages are not effective to prevent this vulnerability. However, blocking unnecessary ICMP messages on screening devices or on devices in the path to the FWSM will prevent the FWSM from triggering the vulnerability. For example, the following ACL, when deployed on a Cisco IOS device in front of the FWSM, will prevent crafted ICMP messages from reaching the FWSM, and thus protect the FWSM from triggering the vulnerability:
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any unreachable
access-list 101 deny icmp any any
access-list 101 permit ip any any
This sample ACL is allowing certain ICMP messages that are vital for network troubleshooting and for proper operation of the network. It is safe to allow any other ICMP messages for which the Cisco IOS Software "access-list" command has named ICMP type keywords. ACLs like the one in the preceding example may also be deployed on non-Cisco IOS devices, such as the Cisco PIX and ASA security appliances, although the ACL syntax on non-Cisco IOS devices may not support all the named ICMP type keywords that the Cisco IOS ACL syntax supports. However, on non-Cisco IOS devices, it is safe to permit all ICMP messages for which there are named ICMP type keywords in the ACL syntax.
As mentioned in the Details section, if the FWSM has stopped processing traffic due to this vulnerability, the FWSM will require a reload. Administrators can reload the FWSM by logging in to the supervisor of the Catalyst 6500 Series Switch or the Cisco 7600 Series router and issuing the "hw-module module reset" (Cisco IOS Software), or "set module power up|down " (Cisco CatOS Software) commands.
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090819-fwsm.shtml .
CVE Information:
CVE-2009-0638
|
|
|
|
|
