-----Original Message----- From: Gregg Shankle [mailto:Gregg.Shankle@private] Sent: Wednesday, December 17, 2003 2:53 PM To: Gregg Shankle Subject: Low read - Cyber Infrastructure advisory The following information was received from one of our multi-state infrastructure information sharing partners. _______________________________________ DATE ISSUED: Wednesday, December 17, 2003 SUBJECT: Cisco advises of PIX firewall vulnerabilities. OVERVIEW: Cisco issued an advisory documenting vulnerabilities on PIX firewalls that have Simple Network Management Protocol (SNMP) or Virtual Private Network Client (VPNC) enabled. Either vulnerability, if exploited, would cause the firewall to fail, resulting in a denial of service attack. SYSTEMS AFFECTED: All CISCO PIX firewalls running: * CSCeb20276 (SNMPv3) 6.3.1, 6.2.2 and earlier, 6.1.4 and earlier. 5.x.x and earlier. * CSCec20244/CSCea28896 (VPNC) 6.2.3 and earlier. 6.1.x and 5.x.x are not affected; they do not implement the VPNC feature. RISK: Government: 1. Large and medium government entities: Medium 2. Small government entities: Low Businesses: 1. Large and medium businesses: Medium 2. Small businesses: Low Home users: Not applicable DESCRIPTION: SNMPv3 - CISCO PIX firewalls could crash and reload, creating a Denial of Service condition, when processing a SNMPv3 message when snmp-server host is configured on the firewall. The snmp-server host command is used to specify the recipient of an SNMP notification operation. Note this could occur even though PIX firewalls do not support SNMPv3. VPNC - VPNC is also known as Easy VPN or ezVPN. This vulnerability exists only when the PIX firewall is configured as a VPN Client. An established VPNC IPSec tunnel connection can be dropped if another IPSec client attempts to make a connection to the outside interface of the VPN Client on the PIX firewall. The exploit of the vulnerability can create a Denial of Service condition. RECOMMENDATIONS: 1) Employ the following workarounds and best practices for the SNMP vulnerability: * SNMP on the PIX is DISABLED by default, and warning messages are displayed to the administrator when SNMP is configured to listen on the OUTSIDE interface. If SNMP is not required make sure it is disabled on the firewall. * Block SNMP at the Internet firewall, if you do not have to manage any devices that are not on your network. * Filter SNMP outbound (deny UDP port 161 and 162 and TCP and UDP ports 1993.) * Change the snmp-server community string to something other than "public". * Restrict access to only allow trusted hosts on specific interfaces to poll the SNMP server on the Cisco PIX firewall. If applicable, apply the following patches after appropriate testing. Note that Cisco has indicated that there is no workaround for the VPNC vulnerability so the only solution for organizations using PIX firewalls as a VPN Client is to apply the patch. * SNMPv3 - apply Cisco CSCeb20276 for PIX OS software versions 6.3.2 and later, 6.2.3 and later, 6.1.5 and later. * VPNC - apply Cisco CSCec20244/CSCea28896 for PIX OS software versions 6.3.1 and later, 6.2(3.100) and later. REFERENCES CISCO http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_security_ advisory09186a00801e118a.shtml http://www.cisco.com/warp/public/707/cisco-sa-20031215-pix.shtml CISCO PIX Firewall Documentation http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.h tm AusCert http://www.auscert.org.au/render.html?it=3690&cid=1 SECUNIA http://www.secunia.com/advisories/10434/
This archive was generated by hypermail 2b30 : Wed Dec 17 2003 - 19:29:32 PST