-----BEGIN PGP SIGNED MESSAGE----- On August 19, 1998, a BUGTRAQ subscriber posted a description of a fragmentation-based denial of service attack against hosts protected by Cisco PIX firewalls. This attack exploits resource management vulnerabilities in the IP stacks on the protected hosts. The attack in question is a standard one, common to the PIX firewall and to many other packet filtering devices. This vulnerability is real, and has been assigned Cisco bug ID CSCdk36273. Although we believe that the practical impact of the attack may be less than the original poster implied, we have made changes to the PIX firewall software to improve its behavior in the face of fragmented packets. Specifically, o Interfragment state will be kept. A non-initial fragment will be discarded unless the corresponding initial fragment was permitted to pass through the firewall. Non-initial fragments received before the corresponding initial fragments will be discarded. o The amount of memory dedicated to fragment state will be limited in order to avoid the obvious denial of service attacks against the PIX firewall itself. o Fragments received for statically configured NAT addresses without conduits will be dropped as other unsolicited packets are. o Fragments will be checked for certain overwrite attacks. These changes are undergoing quality assurance testing, and will be released in Cisco PIX firewall software release 4.2.2, which is tentatively scheduled for mid-September. We do not believe that our customers are critically exposed at this time, especially if they have followed our configuration recommendations for their PIX firewalls. If an actual attack is staged against any of our customers using this vulnerability, we are prepared to offer tactical support. Although these changes address the immediate problem, we are reexamining the handling of IP fragments in the PIX firewall and in our other firewall products. We hope to improve on the present changes in terms of robustness and performance in cases where fragments are legitimately delivered out of order, and to improve the resistance of our firewalls against a variety of other potential fragmentation attacks. We will be issuing a formal security notice regarding this problem within the next two weeks. -- J. Bashinski for Cisco Systems' Product Security Incident Response Team -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNeY9Y3LSeEveylnrAQEURAf/YIcO1uTnhyhcxbUC0i97ARKhbbxsivxJ Cum5e9GhHNuaqr/YCo84bkMjM1mDI+Mj+xf4NeAbGIjboGkbPJNHARqUIzLU92gN 4u8euq+Pe8jQoXijcuBiVOx9amQW9GdfQRR5y/I/Ud+zjp45xqdybn8KWXd64yBL DBmSEp9iicy1SaSDvyvdPjUKu5BGuj00vxyASuhZ4s7ERAvpsz2JpxXQoP9M/g/k UNWbad0WEjSlgReAxEyncwrOOkh8DfWoiLIYKppMwNvUdjZT74fyV8QkVyH2vvbC gqKJ8SdQFumUqh1OkRnzimFo7skjXDXp0ZM5NhRU9rcfS2ogE4Pv3A== =bJpf -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:54 PDT