From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 20 Feb 2007 14:02:46 +0200
Subject: [NEWS] Multiple Vulnerabilities in Cisco Firewall Services Module (FWSM)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070220113345.CED6B5B91@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
X-Spam-Status: No, hits=4.059 tagged_above=2 required=5 tests=LONGWORDS,
MSGID_FROM_MTA_ID
X-Spam-Level: ****
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in Cisco Firewall Services Module (FWSM)
------------------------------------------------------------------------
SUMMARY
Multiple vulnerabilities exist in the Cisco Firewall Services Module
(FWSM). These vulnerabilities occur in the processing of specific
Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), Session
Initiation Protocol (SIP), and Simple Network Management Protocol (SNMP)
traffic. If verbose logging is enabled for debugging purposes, a
vulnerability exists when the FWSM processes packets destined to itself.
All of these vulnerabilities may result in a reload of the device.
An additional vulnerability is included in this advisory in which the
manipulation of access control lists (ACLs) that make use of object groups
may corrupt the ACL and create a situation where unwanted traffic may be
permitted or desirable traffic may be blocked.
These vulnerabilities are independent of each other; a release that is
affected by one vulnerability is not necessarily affected by the others.
There are workarounds for some of the vulnerabilities disclosed in this
advisory.
Cisco has made free software available to address this issue for affected
customers.
DETAILS
Affected Products:
The vulnerabilities described in this document apply to the FWSM. The
companion advisory
<http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml contains
information about similar vulnerabilities that affect the Cisco PIX 500
Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security
Appliances.
Products Confirmed Not Vulnerable:
With the exception of the Cisco PIX 500 Series Security Appliances and the
Cisco ASA 5500 Series Adaptive Security Appliances, no other Cisco
products are known to be vulnerable to the issues described in this
advisory.
Details:
The Cisco Firewall Services Module is a high-speed, integrated firewall
module for Catalyst 6500 series switches and Cisco 7600 series routers. It
offers firewall services with stateful packet filtering and deep packet
inspection.
Multiple vulnerabilities exist in certain versions of the FWSM software
that may cause the device to unexpectedly reload or that may cause traffic
to be permitted or denied contrary to the security policy in place.
1. Enhanced Inspection of Malformed HTTP Traffic May Cause Reload
This vulnerability may cause a FWSM to reload when the FWSM performs
enhanced inspection of HTTP requests, and a malformed HTTP request is
inspected by the FWSM. The FWSM only performs enhanced inspection of HTTP
traffic when the command inspect http <appfw> is present in the
configuration (appfw is the name of a specific HTTP map.) This command is
disabled by default.
Note: Enhanced inspection of HTTP traffic is what makes a configuration
affected. Regular inspection of HTTP traffic (through the command inspect
http without an HTTP map) will not make a configuration affected by this
vulnerability.
For information on what enhanced inspection of HTTP traffic does, and how
to configure it, please refer to the following URL:
<http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080577c72.html#wp1390330> http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080577c72.html#wp1390330
This vulnerability is documented in Cisco Bug ID
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd75794>;
CSCsd75794 ( registered customers only) .
2. Inspection of Malformed SIP Messages May Cause Reload
This vulnerability may cause a FWSM to reload when a malformed SIP message
is received and deep packet inspection of SIP messages is enabled through
the command fixup protocol sip (in FWSM software 2.3.x and before) or
through the command inspect sip (in FWSM software 3.x and later). SIP
inspection is enabled by default in the 2.3.x series and before and is
disabled by default in the 3.x series and later.
This vulnerability is documented in Cisco Bug ID
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg80915>;
CSCsg80915 ( registered customers only) .
3. Processing of Packets Destined to the FWSM May Cause Reload
This vulnerability will cause the FWSM to reload when trying to generate
syslog message 710006. For this to happen the following two conditions
must be satisfied:
* The FWSM receives a packet for one of the device's IP addresses and the
message is not one of the following protocols: TCP, UDP, ICMP, OSPF,
Failover, PIM, IGMP, and ESP. The source of the packet is not relevant.
* Logging must be enabled at a level high enough to generate syslog
message 710006. By default this is debugging level (level 7). Please note
that logging is disabled by default, and Cisco recommends customers only
log at debugging level for debugging and troubleshooting purposes.
Note: The documentation for the Cisco Security Monitoring, Analysis and
Response System (CS-MARS) suggests logging at the debugging level so more
events can be reported by the firewall.
For more information on syslog message 710006 please refer to the
following document:
* Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall
Services Module Logging Configuration and System Log Messages, 3.1
<http://www.cisco.com/en/US/products/hw/switches/ps708/products_system_message_guide_chapter09186a00804d74bd.html#wp1285757> http://www.cisco.com/en/US/products/hw/switches/ps708/products_system_message_guide_chapter09186a00804d74bd.html#wp1285757
This vulnerability is documented in Cisco Bug ID
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCse85707>;
CSCse85707 ( registered customers only) .
4. Processing of Malformed HTTPS Requests May Cause Reload
This vulnerability may cause the FWSM to reload when a user tries to
access a web site and the network administrator has configured the device
to authenticate users before granting them network access. This feature is
known as "authentication for network access", or auth-proxy, and is
enabled through the command aaa authentication match or aaa authentication
include.
The reload is actually triggered by a specific HTTPS request that is
invalid, and therefore, unlikely to be generated by a regular web browser.
This vulnerability is documented in Cisco Bug ID
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg50228>;
CSCsg50228 ( registered customers only) .
5. Processing of Long HTTP Requests May Cause Reload
This vulnerability may also cause the FWSM to reload when the
administrator has enabled "authentication for network access
("auth-proxy") through the commands aaa authentication match or aaa
authentication include. However, in this case, the HTTP request that
causes the reload is valid, although it is not a normal request in the
sense that the URL being requested is very long. A web browser could
potentially generate such a request during regular browsing.
This vulnerability is documented in Cisco Bug ID
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd91268>;
CSCsd91268 ( registered customers only) .
6. Processing of HTTPS Traffic May Cause Reload
This vulnerability may cause a FWSM to reload when the FWSM receives a
particular type of HTTPS traffic directed to the FWSM itself. This is only
a concern when the HTTPS server on the FWSM is enabled through the command
http server enable. This command is disabled by default.
Cisco is aware of a commercial vulnerability scanner that can generate the
HTTPS traffic that triggers the reload. We are not aware of regular web
browser traffic that triggers this bug.
This vulnerability is documented in Cisco Bug ID
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd91268>;
CSCsf29974 ( registered customers only) .
7. Processing of Malformed SNMP Requests May Cause a Reload
This vulnerability may cause a FWSM to reload upon receipt of a malformed
SNMP message from a trusted device. The trusted device must be allowed
explicit SNMP poll access via the command snmp-server host <interface
name> <IP of trusted device>.
This vulnerability is documented in Cisco Bug IDs
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsf29974>;
CSCse52679 ( registered customers only) .
8. Manipulation of ACL May Cause ACL Corruption
This vulnerability may cause access control entries (ACEs) in an ACL to be
evaluated out of order, or not to be evaluated. This ACL corruption is
manifested, besides the obvious traffic implications, when the output from
the show access-list command and the corresponding ACL shown by the show
running-config command appear to be out of sync. Only a manual reload of
the device will cause this condition to go away.
The ACL corruption occurs when an ACL that makes use of object groups is
manipulated.
This vulnerability is documented in Cisco Bug IDs
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCse60868>;
CSCse60868 ( registered customers only) and
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCse99740>;
CSCse99740 ( registered customers only) .
Impact:
In all cases, with the exception of the "Manipulation of ACL May Cause ACL
Corruption" vulnerability, successful exploitation of any vulnerability
may cause a reload of the affected device. Repeated exploitation could
result in a sustained Denial-of-Service (DoS) condition.
In the case of the "Processing of Long HTTP Requests May Cause Reload"
vulnerability (
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd91268>;
CSCsd91268), the reload occurs because a stack-based buffer is overflowed.
In this case remote code execution may be possible.
In the case of the "Manipulation of ACL May Cause ACL Corruption"
vulnerability, a device that becomes affected after an administrator
manipulates an ACL with object groups may allow traffic that would
normally be denied, or would deny traffic that would normally be
permitted. If the ACL is used for other functions like NAT (policy NAT and
NAT exemption), AAA (auth-proxy), control of access to the device (SSH,
Telnet, HTTP, ICMP), then those functions may be adversely affected as
well.
Workarounds
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Intelligence companion document
for this advisory:
<http://www.cisco.com/warp/public/707/cisco-air-20070214-firewall.shtml>;
http://www.cisco.com/warp/public/707/cisco-air-20070214-firewall.shtml
1. Enhanced Inspection of Malformed HTTP Traffic May Cause Reload
It is possible to mitigate this vulnerability by disabling enhanced
inspection of HTTP traffic. Please note that disabling HTTP enhanced
inspection will prevent the FWSM from protecting against specific attacks
and other threats that may be associated with HTTP traffic. Enhanced
inspection of HTTP traffic is disabled by removing the command inspect
http from the configuration, where appfw is the name of an HTTP map.
For further information about the inspect http <appfw> command, and the
type of checks it performs on HTTP traffic, please see the documentation
for this command at:
<http://www.cisco.com/en/US/products/hw/switches/ps708/products_command_reference_chapter09186a008048e279.html#wp1570030> http://www.cisco.com/en/US/products/hw/switches/ps708/products_command_reference_chapter09186a008048e279.html#wp1570030
Please note that the command inspect http (without an HTTP map) can be
left in the configuration and the device will not be affected by this
vulnerability.
2. Inspection of Malformed SIP Messages May Cause Reload
It is possible to mitigate this vulnerability by disabling deep packet
inspection ("fixup" in software version prior to 3.x or "inspect" in
software version 3.x and later) of SIP messages. Note, however, that this
may have negative impact on devices terminating SIP sessions since SIP
traffic will no longer undergo stateful application inspection, and
devices which terminate sessions for this protocol will be exposed to
packets that may cause these devices to crash or become compromised.
If you are running a 3.x FWSM software release, then the alternative is to
allow traffic only from the trusted hosts. The configuration to accomplish
this is as follows:
access-list sip-acl extended permit udp 10.1.1.0 255.255.255.0 host
192.168.5.4 eq sip
access-list sip-acl extended permit udp host 192.168.5.4 10.1.1.0
255.255.255.0 eq sip
class-map sip-traffic
match access-list sip-acl
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
class sip-traffic
inspect sip
!
service-policy global_policy global
In this example SIP endpoints are any host within 10.1.1.0 network (inside
the trusted network) and a host with the IP address of 192.168.5.4
(outside of the trusted network). You would have to substitute these IP
addresses with the ones that are used in your network.
Please note that SIP is an UDP-based protocol, so spoofing SIP messages is
possible.
3. Processing of Packets Destined to the FWSM May Cause Reload
Since this vulnerability only manifests itself when syslog message 710006
is generated, it is possible to workaround the vulnerability either by
disabling generation of syslog message 710006 altogether, or by logging at
a syslog level that is lower than the syslog level at which this message
is generated.
By default, syslog message 710006 is generated at syslog level 7
("debugging"), so a viable workaround is to log at level 6 or lower. This
can be accomplished with the command logging 6. If syslog message 710006
has been moved to a different logging level, then the logging level in use
must be changed accordingly to prevent the message from being generated.
If logging at the "debugging" level is necessary, the vulnerability can
also be eliminated by disabling this particular syslog message by using
the command no logging message 710006.
4. Processing of Malformed HTTPS Requests May Cause Reload
There are no workarounds for this vulnerability.
5. Processing of Long HTTP Requests May Cause Reload
There are no workarounds for this vulnerability.
6. Processing HTTPS Traffic May Cause a Reload
Since this vulnerability is caused by the HTTPS server on the FWSM failing
to handle certain types of HTTPS traffic, disabling the HTTPS server
through the command no http server enable is a valid workaround if this
functionality is not needed. Please note that this functionality is used
by ASDM, so if configuration of the FWSM is exclusively done through ASDM
disabling the HTTPS server may not be a viable workaround.
Additionally, it is possible to limit the exposure by allowing HTTPS
connections only from trusted IP addresses or networks. This can be
accomplished with the http command. For example, the following command:
FWSM(config)# http 192.168.1.10 255.255.255.255 inside
will only permit HTTPS connections from the IP address 192.168.1.10.
7. Processing of Malformed SNMP Requests May Cause a Reload
This bug can only be triggered by a malformed SNMP message that comes from
a device that is allowed SNMP access on the FWSM. If SNMP is not needed it
can be removed through the command no snmp-server host <interface name>
<IP address of trusted device>, which will eliminate the vulnerability.
8. Manipulation of ACL May Cause ACL Corruption
There are no workarounds for this vulnerability. However, please note that
the ACL corruption does not occur during normal operation of the device
and it cannot be triggered by some type of traffic. It can only occur if
an administrator makes configuration changes (and more specifically, if an
administrator manipulates an ACL.) For this reason, if ACL changes are
made only during a maintenance window, and the FWSM is reloaded after
making those changes, there should not be any concerns with this
vulnerability.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
