From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 15 Nov 2005 12:48:28 +0200
Subject: [NEWS] Cisco ASA Multiple Failover DoS Vulnerabilities
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20051115110833.75C925786@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco ASA Multiple Failover DoS Vulnerabilities
------------------------------------------------------------------------
SUMMARY
"The <http://www.cisco.com/en/US/products/ps6120/>; Cisco ASA 5500 Series
Adaptive Security Appliance is a high-performance, multifunction security
appliance family delivering converged firewall, IPS, network anti-virus
and VPN services. "
When attacker makes crafted ARP packet that conflicts with Cisco ASA IP or
when Cisco ASA is spoofed with ARP packets, it is possible to cause a DoS
and bypass Cisco ASA firewall.
DETAILS
Vulnerable Systems:
* Cisco Adaptive Security Appliances version 7.0.0
* Cisco Adaptive Security Appliances version 7.0.2
* Cisco Adaptive Security Appliances version 7.0.4
An inherent weakness in the Cisco ASA failover testing algorithm and
methodology was identified and noted to Cisco TAC and PSIRT. In general,
the two weaknesses have been identified as a race condition between two
different failover testing processes and a lack of authentication for
failover messages between active and standby.
These conditions are noted in Cisco bug IDs:
* CSCsc34022 - ASA-PIX requires improved failover testing method
* CSCsc47618 - Authenticate all messages between Active and Standby
In an Active/Standby configuration:
When failover LAN communications goes down {i.e. cable problem, switch/hub
failure, interface failure, ASA software bug, etc}, the standby firewall
sends ARP requests on each of the segments for the IP address of the
Active firewall to see if the Active is still alive. If there is a
response for AT LEAST ONE of the requests, the standby will NOT become
active (i.e. there is no failover).
For this issue to occur, a duplicate IP address matching one of the active
firewall's IP addresses must be present on the same network subnet as the
firewalls when the active firewall loses power or crashes.
When the active firewall loses power or crashes, the standby firewall's
LAN failover interface will lose connectivity with the active firewall.
This causes the standby firewall to ARP for the IP address of each active
firewall interface. Because the active firewall is now unreachable, the
duplicate IP address matching the active firewall will cause the standby
firewall to receive a reply to the ARP attempt. Upon receiving the
erroneous ARP reply, the standby firewall will believe that the active
firewall is still reachable and prevent the standby firewall from taking
over.
Due to the timing of two concurrent failover tests, there are still cases
where the standby firewall will be able to determine that the active
firewall is down even when a duplicate IP address is present; however,
this can not be guaranteed.
Workaround:
Connecting the LAN failover interfaces of the firewalls to switch ports
may minimize but not completely mitigate the chance that an otherwise
active firewall will lose connectivity to its LAN failover interface.
Preventing or correcting IP addresses that duplicate the firewall IP
addresses is a complete workaround for this issue.
The firewall will detect and log duplicate IP addresses with system log
message:
%PIX-4-405001: Received ARP response collision from <firewall IP
address/mac address of device with duplicate IP address> on interface
<firewall interface>.
Additional information about this syslog message is available at:
<http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/syslog/logmsgs.htm#wp1282234> System Log Messages
Additional information about configuring failover in PIX and ASA 7.0 is
available at:
<http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm>; http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm
Additional information about configuring failover in FWSM 2.3 is available
at:
<http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/failover.htm>; Using Failover
The Release Note Enclosure for CSCsc47618 states:
An attacker who can spoof the IP address and MAC address of an active
firewall's interface may prevent failover from occurring.
When the active firewall loses power or crashes, the standby firewall's
LAN failover interface will lose connectivity with the active firewall.
This causes the standby firewall to ARP for the IP address of each active
firewall interface. The standby firewall will only accept the ARP response
if the source
MAC address matches the active firewall's interface MAC address. An
attacker who can spoof the IP address and MAC address of the active
firewall's interface can lead the standby firewall to believe that the
active firewall is still reachable and prevent the standby firewall from
taking over.
Workaround:
Configure port security on all switch ports configured to be in the same
vlans as the active and standby firewalls enabled interfaces. Port
security must not be enabled on the switch ports connected to the active
and standby firewalls interfaces.
Port security will prevent an attacker from spoofing the active firewall's
interface MAC address allowing failover to occur normally.
This configuration should be tested before being enabled in a production
environment.
For information on configuring port security refer to:
Catalyst 6500 Series Cisco IOS Software Configuration Guide Configuring
Port Security
<http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a2c.html>; Configuring Port Security
Catalyst 6500 Series Software Configuration Guide Configuring Port
Security
<http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008022f27b.html>; Configuring Port Security
LAN Security Configuration Guides
<http://www.cisco.com/en/US/tech/tk389/tk814/tech_configuration_guides_list.html>; http://www.cisco.com/en/US/tech/tk389/tk814/tech_configuration_guides_list.html
For information about layer 2 attacks and mitigations refer to:
SAFE Layer 2 Security In-depth Version 2:
<http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml>; SAFE Layer 2 Security In-depth Version 2
ADDITIONAL INFORMATION
The information has been provided by <mailto:atora@eplus.com.> Amin Tora
and <mailto:rivener@cisco.com.> Randy Ivener
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
