Firewall Wizards mailing list archives
CIsco PIX vulnerable to TCP RST DOS attacks
From: Dario Calia <dario_calia () yahoo com>
Date: Wed, 5 May 2004 11:46:25 -0700 (PDT)
PIX can and has done this as well. http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml When upgraded the PIX will behave as described in the following draft RFC. http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt Ciao, Dario
Apparently, Checkpoint can and did: "By upgrading to Check Point VPN-1/FireWall-1 R55 HFA-03 or newer, customers are able to protect their entire network from this vulnerability; thus providing additional time and security until other systems and software can be patched." http://www.checkpoint.com/techsupport/alerts/tcp_dos.html Shimon Silberschlag
+972-3-9351572 +972-51-207130
----- Original Message ----- From: "Paul D. Robertson" <paul () compuwar net> To: "Ahmed, Balal" <balal.ahmed () capgemini com> Cc: <firewall-wizards () honor icsalabs com> Sent: Wednesday, May 05, 2004 14:38 Subject: Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacksOn Wed, 5 May 2004, Ahmed, Balal wrote:If a PIX, or any other firewall/device for that
matter, is performing
NAPT/Hide NAT/PAT/NAT then as far as the TCP
conversation is concerned is it
a connection end point or a transit device ?If it's a proxy, or a termination point for a
connection such as a VPN,
then it's an endpoint, if it's a filter or router,
then it's a transit
device. It's possible for stateful filters to "fix"
endpoint issues for this bug-
but it's not a default, and would have probably had
to have been added
since the original advisory went out. I'd like to
see the firewall
vendors who can step up and fix this one- it's a
perfect "we can fix this
without having folks update every system" thing
that firewalls SHOULD fix.
Paul
-------------------------------------------------------------------------- ---
Paul D. Robertson "My statements in this
message are personal opinions
paul () compuwar net which may have no basis
whatsoever in fact."
probertson () trusecure com Director of Risk
Assessment TruSecure Corporation
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- <Possible follow-ups>
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Paul D. Robertson (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Shimon Silberschlag (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Melson, Paul (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Mikael Olsson (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Chuck Swiger (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Gwendolynn ferch Elydyr (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Henning Brauer (May 06)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- CIsco PIX vulnerable to TCP RST DOS attacks Dario Calia (May 05)