Firewall Wizards mailing list archives
CIsco PIX vulnerable to TCP RST DOS attacks
From: "Ahmed, Balal" <balal.ahmed () capgemini com>
Date: Wed, 5 May 2004 13:13:32 +0100
Dear wizards, Cisco have released an advisory [1] hot on the heels of the NISCC TCP RST advisory [2]. Cisco's advice is to upgrade images where a network device is a connection endpoint. Question :- If a PIX, or any other firewall/device for that matter, is performing NAPT/Hide NAT/PAT/NAT then as far as the TCP conversation is concerned is it a connection end point or a transit device ? If it is a connection end point then it is susceptible to a TCP RST DOS attack. According to RFC 3022 [3] and RFC 1631 [4] only ports and IP addresses are changed along with updating the TCP checksum. The RFC's and the PIX manual would point to the fact that the PIX only forwards on and is not the actual host performing the three way handshake, it only records the state of the connection, alters the headers, performs fixup and then forwards the packet on. Having said this, I have seen PIX's teardown connections on seeing a RESET-O arrive from the outside. Does this mean that the PIX IS susceptible to the TCP RST vulnerability due to the way Cisco have implemented NAT? References [1] http://www.cisco.com/en/US/products/products_security_advisory09186a008021ba 2f.shtml [2] http://www.uniras.gov.uk/vuls/2004/236929/index.htm [3] http://www.faqs.org/rfcs/rfc3022.html [4] http://www.faqs.org/rfcs/rfc1631.html Balal Ahmed Security Analyst Capgemini UK plc mailto:balal.ahmed () cgey com ======================================================= This message contains information that may be privileged or confidential and is the property of Capgemini UK plc. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorised to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. ======================================================= Our name has changed, please update your address book to the following format for the latest identities received "recipient () capgemini com". This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- <Possible follow-ups>
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Paul D. Robertson (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Shimon Silberschlag (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Melson, Paul (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Mikael Olsson (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Chuck Swiger (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Gwendolynn ferch Elydyr (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Henning Brauer (May 06)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- CIsco PIX vulnerable to TCP RST DOS attacks Dario Calia (May 05)