[nsp] Cisco Security Advisory: Cisco PIX Firewall Authentication Denial of Service Vulnerability

From: Cisco Systems Product Security Incident Response Team (psirt@cisco.com)
Date: Wed Oct 03 2001 - 11:30:00 EDT


-----BEGIN PGP SIGNED MESSAGE-----

       Cisco PIX Firewall Authentication Denial of Service Vulnerability
                                       
Revision 1.0

  For Public Release 2001 October 03 08:00 (UTC -0800)
     _________________________________________________________________
   
Summary

   The Cisco Secure PIX Firewall AAA authentication feature, introduced
   in version 4.0, is vulnerable to a Denial of Service (DoS) attack
   initiated by authenticating users on the system. This vulnerability
   affects specific configurations and has been resolved in released
   versions of the PIX Firewall.
   
   This vulnerability has been assigned Cisco bug ID CSCdt92339.
   
   The complete notice will be available at
   http://www.cisco.com/warp/public/707/pixfirewall-authen-flood-pub.shtml.
   
Affected Products

   All users of Cisco Secure PIX Firewalls with software versions 4.0 up
   to and including 4.4(8), 5.0(3), 5.1(3), 5.2(2), and 5.3(1) with
   configurations using AAA authentication are at risk.
   
   Affected configurations will have configuration lines that begin:
    pixfirewall# aaa authentication ...

   Configurations not including aaa authentication are not affected. PIX
   Firewall software versions 6.0(1) and later are not affected.
   
   The IOS Firewall feature set is not affected by the above defect.
   
   No other Cisco products are affected by this defect.
   
Details

   When AAA authentication services are configured on the Cisco Secure
   PIX Firewall, it is possible for a single source address to consume
   all of the authentication resources, preventing other legitimate users
   from authenticating. This is a denial of service strictly for the
   authentication resources; other established traffic continues
   unaffected, and only new authentication requests are prevented.
   
   This vulnerability has been resolved in the recent versions of the PIX
   Firewall by creating a maximum limit of three open authentication
   requests per user.
   
   Cisco Bug ID CSCdv09731 amends this limitation to allow system
   administrators to modify this limit, depending on their network
   requirements.
   
Impact

   This issue causes a PIX Firewall to be vulnerable to a DoS attack in
   which the availability of the unit is degraded. This does not result
   in a loss in confidentiality or in loss of integrity of the traffic
   being filtered.
   
Software Versions and Fixes

- ----------------------------------------------------------------------------
Version Affected | Interim Release | Fixed Regular Release (available now)
                 | |
                 | Fix carries | Fix carries forward into all
                 | forward into all | later versions
                 | later versions |
- ----------------------------------------------------------------------------
                 | |
All versions of | | Upgrade to 5.2(6)
Cisco Secure PIX | |
up to and | |
including | |
version 4.4(8) | |
                 | |
- ----------------------------------------------------------------------------
                 | |
 Version 5.0 and | | Upgrade to 5.2(6)
 Version 5.1 | |
                 | |
- ----------------------------------------------------------------------------
                 | |
 Version 5.2(2) | 5.2(5.204) | 5.2.(6)
                 | |
- ----------------------------------------------------------------------------
                 | |
 Version 5.3.x | 5.3(1.203) | 5.3(2)
 up to and | |
 including | |
 version 5.3(1) | |
                 | |
- ----------------------------------------------------------------------------
   
Obtaining Fixed Software

   Cisco is offering free software upgrades to remedy this vulnerability
   for all affected customers. Customers with service contracts may
   upgrade to any software version. Customers without contracts may
   upgrade only within a single row of the table above, except that any
   available fixed software will be provided to any customer who can use
   it and for whom the standard fixed software is not yet available. As
   always, customers may install only the feature sets they have
   purchased.
   
   Customers with contracts should obtain upgraded software through their
   regular update channels. For most customers, this means that upgrades
   should be obtained via the Software Center on Cisco's Worldwide Web
   site at http://www.cisco.com. Customers whose Cisco products are
   provided or maintained through prior or existing agreement with
   third-party support organizations such as Cisco Partners, authorized
   resellers, or service providers should contact that support
   organization for assistance with the upgrade, which should be free of
   charge.
   
   Customers who purchase direct from Cisco but who do not hold a Cisco
   service contract, and customers who purchase through third party
   vendors but are unsuccessful at obtaining fixed software through their
   point of sale, should get their upgrades by contacting the Cisco
   Technical Assistance Center (TAC). TAC contacts are as follows:
     * +1 800 553 2447 (toll-free from within North America)
     * +1 408 526 7209 (toll call from anywhere in the world)
     * e-mail: tac@cisco.com
       
   See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
   additional TAC contact information, including instructions and e-mail
   addresses for use in various languages.
   
   Give the URL of this notice as evidence of your entitlement to a
   free upgrade. Free upgrades for non-contract customers must be
   requested through the TAC. Please do not contact either
   "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.
   
Workarounds

   There is no known workaround for all authentication types.
   
   If authentication is configured in conjunction with the Virtual HTTP
   feature, a limit of three concurrent authentication attempts per user
   exists, which could prevent this denial of service for HTTP traffic
   only. This would have no effect on authentication attempts for FTP or
   Telnet if the PIX is configured for authentication of those services.
   
Exploitation and Public Announcements

   This vulnerability has been publicly discussed on the Bugtraq list
   maintained by SecurityFocus at
   http://www.securityfocus.com/archive/1/174577.
   Cisco has no evidence or knowledge of exploitation of this
   vulnerability; this was discovered when a program on a customer site
   utilized all authentication resources.
   
Status of This Notice: FINAL

   This is a final notice. Although Cisco cannot guarantee the accuracy
   of all statements in this notice, all of the facts have been checked
   to the best of our ability. Cisco does not anticipate issuing updated
   versions of this notice unless there is some material change in the
   facts. Should there be a significant change in the facts, Cisco may
   update this notice.
   
Distribution

   This notice will be posted on Cisco's Worldwide Web site at
   http://www.cisco.com/warp/public/707/pixfirewall-authen-flood-pub.shtml.
   In addition to Worldwide Web posting, a text version of this
   notice is clear-signed with the Cisco PSIRT PGP key and is posted to
   the following e-mail and Usenet news recipients:
     * cust-security-announce@cisco.com
     * bugtraq@securityfocus.com
     * firewalls@lists.gnac.com
     * first-teams@first.org (includes CERT/CC)
     * cisco@spot.colorado.edu
     * cisco-nsp@puck.nether.net
     * comp.dcom.sys.cisco
     * Various internal Cisco mailing lists
       
   Future updates of this notice, if any, will be placed on Cisco's
   Worldwide Web server, but may or may not be actively announced on
   mailing lists or newsgroups. Users concerned about this problem are
   encouraged to check the URL given above for any updates.
   
Revision History

   Revision 1.0 For public release 2001 October 03 08:00 (UTC -0800)
   
Cisco Security Procedures

   Complete information on reporting security vulnerabilities in Cisco
   products, obtaining assistance with security incidents, and
   registering to receive security information from Cisco, is available
   on Cisco's Worldwide Web site at
   http://www.cisco.com/warp/public/707/sec_incident_response.shtml.
   This includes instructions for press inquiries regarding Cisco
   security notices. All Cisco Security Advisories are available at
   http://www.cisco.com/go/psirt.
     _________________________________________________________________
   
   This notice is Copyright 2001 by Cisco Systems, Inc. This notice may
   be redistributed freely after the release date given at the top of the
   text, provided that redistributed copies are complete and unmodified,
   and include all date and version information.
     _________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQEVAwUBO7sslA/VLJ+budTTAQEU1gf/VsgQCFDrZb09DA3ZPzHzJucpUX+LcAtC
bzLir7V2E1olfv8iqX1M1YDC3a3xQLb9LtwcC036exGnfZ/lqQTSP4Lln0RVRUiJ
igi/sbVqTRkuEOIRMAO9ocuIreH+pMjKcg96SXRfWY53+CF9qnTlp08ma7Jh5/xJ
92m8bel+jhN3dqu2P2f698UvY/mUcmE4vBDnQQJRbbjtk5XED+XIoSdx1FivWgrm
Y+qOlKXPMMNxbrsANML8XgLwtJtXJZMvQxVIrvHdrA7HjlK3o/iR60JMU5n+pD6y
iDXfJxNUf47oN+tWmEFIL4mL1p+yARjwjaz4Rz3YW1QBVy+3beYgMw==
=UqcC
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:19 EDT