Summary: During security-testing of firewalls in our lab we found a serious bug in Cisco PIX which makes it possible to do DOS-attacks to static IP-addresses on the inside. The bug is reported to Cisco six weeks ago including the source-code to our DOS-program but no response yet (more then working on it). Details: Most of Cisco PIX is using NAT but if you need DNS, mail etc. you have to have a static address for this server and many installations of Cisco PIX are configured like this. We sent a fragmented packet, splitted into 2 with the FIN-flag set and noticed that the packet with the TCP-header was correctly dropped but the second part was let through the PIX to the host on the inside! Another strange thing was the the data was deformed so that all data was 7E! We tried with only ICMP allowed, mail etc. and with nothing allowed and we had the same result every time. The part not included the TCP-header was let through! So how can you do a DOS-attack with this? Easy! Just send a lot those packets (I really mean a lot!!!) to this host and see what happends. An NT-server we tried against completely stopped! Couldn't even move the mouse. Same thing with a Linux-box but NT-servers with more then one CPU managed a little better. Only one CPU got up to 100%. We also tried against a SUN Ultra 2 with a lot of memory but this attack did not seem to affect this machine very much. The reason why the smaller machine hangs could (must?!) be that it collects a lot of fragmented packets but it never recieves the first part of it which will end the memory after a while. It will also have a great job collecting all these packets. The server will hang fast (1 second or so) if you have plenty of bandwith, slower if you don't but it will always work. The funny thing is that it is the PIX who makes it possible to perform this DOS-attack :-). Of course what we where trying to do was to FIN-scan for open port on a machine behind the PIX but this was even better... Most source code was snatched from the Uriels and Fyodors FIN/fragment scanners. Many thanks to them! Who is affected? Any company, organisation etc. who are using static addressing along with Cisco PIX with any version of PIX software. Even tried the last beta. Pentagon, are you reading this? Fixes: No fix yet as far as I know. Cannot think of a quick but to remove all static addressing and it's no good. ------------------------------------------------------------------------ ------------------------------ Robert Ståhlbrand Ericsson Telecom AB, Network Management Application Center TeMa-Lab system responsible robertat_private "Real hackers don't die, their TTL expires." ------------------------------------------------------------------------ -----------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:02 PDT