|
|
|
|
| |
Credit:
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml
|
| |
Vulnerable Systems:
* Cisco Catalyst 6500 Series Switches version 3.1
* Cisco 7600 Series Routers version 3.1
* Cisco Catalyst 6500 Series Switches version 3.2
* Cisco 7600 Series Routers version 3.2
* Cisco Catalyst 6500 Series Switches version 4.0
* Cisco 7600 Series Routers version 4.0
* Cisco Catalyst 6500 Series Switches version 4.1
* Cisco 7600 Series Routers version 4.1
Multiple vulnerabilities exist in the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing crafted SunRPC or certain TCP packets. Repeated exploitation could result in a sustained DoS condition.
SunRPC Inspection Denial of Service Vulnerabilities
####################################################
The Cisco FWSM is affected by three vulnerabilities that may cause the device to reload during the processing of different crafted SunRPC messages when SunRPC inspection is enabled. Note: These vulnerabilities are only triggered by transit traffic; traffic that is destined to the device does not trigger these vulnerabilities. These vulnerabilities are documented in Cisco bug IDs CSCte61710 ( registered customers only) , CSCte61622 ( registered customers only) , and CSCte61662 ( registered customers only) ; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-2818, CVE-2010-2819, and CVE-2010-2820, respectively.
TCP Denial of Service Vulnerability
###################################
You can partition a single FWSM into multiple virtual devices, known as security contexts. Each context has its own security policy, interfaces, and administrators. Multiple contexts are similar to multiple standalone devices. Many features are supported in multiple context mode, which includes routing tables, firewall features, and management. Cisco FWSM is affected by a denial of service vulnerability that could allow an unauthenticated attacker to cause a reload when sending a series of TCP packets. The Cisco FWSM is only affected by this vulnerability when is configured in multi-mode (with virtual firewalls) and configured to accept Telnet, SSH or ASDM connections. Note: A TCP three-way handshake is needed to exploit this vulnerability. This vulnerability is only triggered by traffic that is destined to the affected device; transit traffic does not trigger this vulnerability. This vulnerability is documented in Cisco bug ID CSCtg68694 ( registered custome rs only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2821.
Workaround:
The SunRPC inspection vulnerabilities can be mitigated by disabling SunRPC inspection, if it is not required. Administrators can disable SunRPC inspection by issuing the no inspect sunrpc command in class configuration sub-mode within policy-map configuration.
The TCP DoS vulnerability can be mitigated by only allowing trusted hosts to communicate with the FWSM via HTTPs, SSH, or Telnet. For example, the following commands are used to enable the HTTPS server and allow only hosts on the inside interface with an address in the 192.168.1.0/24 network to create ASDM, SSH or Telnet connections:
asa(config)# http server enable
asa(config)# http 192.168.1.0 255.255.255.0 inside
asa(config)# telnet 192.168.1.0 255.255.255.0 inside
asa(config)# ssh 192.168.1.0 255.255.255.0 inside
CVE Information:
CVE-2010-2818
CVE-2010-2819
CVE-2010-2820
CVE-2010-2821
Disclosure Timeline:
2010-August-04: Initial public release.
|
|
|
|
|
