[nsp-sec] FWSM vulnerability

Smith, Donald Donald.Smith at qwest.com
Fri Aug 21 17:56:40 EDT 2009 

Cisco recommendations are a bit inconsistent on this vulnerability.

In the email psirt release they list a set of "safe icmp" and state that "It is safe to allow any other ICMP messages for which the Cisco IOS Software access-list command has named ICMP type keywords. " By that I originally thought this meant the exploit packets were something that cisco didn't have a keyword for.

However in the additional mitigation link they are blocking those very same icmp types towards a FWSM except from a set of trusted hosts.

Lastly their identification of traffic flows that may be attempts to exploit this vulnerability, they specifically are watching for icmp echo request, echo reply, host unreachable, traceroute, packet too big, time exceeded and unreachable the same set they claim are safe in the email version of the psirt.

Additional mitigation link.
http://www.cisco.com/warp/public/707/cisco-amb-20090819-fwsm.shtml.

Based on the iACL in the additional mitigation and the netflow example I believe that at least these packets are related to this vulnerability.
"In the preceding example, there are multiple flows for the following ICMP packet types: ICMP echo request (hex value 0800), echo-reply (hex value 0000), host-unreachable (hex value 0301), traceroute (hex value 0030), packet-too-big (hex value 0200), time-exceeded (hex value 1100), and unreachable (hex value 0300). " Note several of those are icmpv6.



To convert cisco's netflow hex icmp types to type and code:
1) convert from hex to decimal since most of us are use to seeing icmp types/codes in decimal.
2) divide by 256 the dividend of that is the TYPE and remainder is the CODE.





!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Cisco released the following Security Advisory today:
Cisco Security Advisory: Firewall Services Module Crafted ICMP Message Vulnerability

Advisory ID: cisco-sa-20090819-fwsm
http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml 

Revision 1.0

For Public Release 2009 August 19 1600 UTC (GMT) 

Summary
=======
A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The vulnerability may cause the FWSM to stop forwarding traffic and may be triggered while processing multiple, crafted ICMP messages.

There are no known instances of intentional exploitation of this vulnerability. However, Cisco has observed data streams that appear to trigger this vulnerability unintentionally.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml. 

 

Vulnerability Scoring Details

=====================
CSCsz97207 -- NP 2 threads lock due to processing malformed IP packet
CVSS Base Score - 7.8
CVSS Temporal Score - 6.4

Workarounds
==========
There are no workarounds for this vulnerability. Access control lists (ACLs) that are deployed on the FWSM itself to block through-the-device or to-the-device ICMP messages are not effective to prevent this vulnerability. However, blocking unnecessary ICMP messages on screening devices or on devices in the path to the FWSM will prevent the FWSM from triggering the vulnerability. For example, the following ACL, when deployed on a Cisco IOS device in front of the FWSM, will prevent crafted ICMP messages from reaching the FWSM, and thus protect the FWSM from triggering the vulnerability:

access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any unreachable
access-list 101 deny   icmp any any
access-list 101 permit ip any any

This sample ACL is allowing certain ICMP messages that are vital for network troubleshooting and for proper operation of the network. It is safe to allow any other ICMP messages for which the Cisco IOS Software access-list command has named ICMP type keywords. ACLs like the one in the preceding example may also be deployed on non-Cisco IOS devices, such as the Cisco PIX and ASA security appliances, although the ACL syntax on non-Cisco IOS devices may not support all the named ICMP type keywords that the Cisco IOS ACL syntax supports. However, on non-Cisco IOS devices, it is safe to permit all ICMP messages for which there are named ICMP type keywords in the ACL syntax.

As mentioned in the Details section, if the FWSM has stopped processing traffic due to this vulnerability, the FWSM will require a reload. Administrators can reload the FWSM by logging in to the supervisor of the Catalyst 6500 Series Switch or the Cisco 7600 Series router and issuing the hw-module module <slot # for FWSM> reset (Cisco IOS Software), or set module power up|down <module #> (Cisco CatOS Software) commands.

Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090819-fwsm.shtml.

 

Exploitation and Public Announcements

==============================

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory, but Cisco is aware of customers that have encountered this vulnerability during normal network operation.

This vulnerability was discovered during the handling of customer support cases.
If you have any questions, please feel free to contact us.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 

 

Sharing: Author's permission required except within your organization, anonmyize.
Donald.Smith at qwest.com gcia

More information about the nsp-security mailing list