<<< Date Index >>>     <<< Thread Index >>>

[ADVISORY] CISCO ASA Failover DoS Vulnerability



-------------------=========================-------------------

   Advisory  : EPSIRT 051028-ASA01

   Title     : CISCO ASA Failover DoS Vulnerability

   Release   : November 14, 2005

   Author    : Amin Tora

   Severity  : Denial of Service

   Risk Level: Low

   Product   : CISCO Adaptive Security Appliances
               running: 7.0(0), 7.0(2), 7.0(4)

-------------------=========================-------------------

   --== Overview ==-

A possible denial of service against failover can occur due to a race 
condition when there is an IP conflict or spoofed ARP response upon 
active firewall failure.

   --== Details ==-

An inherent weakness in the CISCO ASA failover testing algorithm and 
methodology was identified and noted to CISCO TAC and PSIRT.  In 
general, the two weaknesses have been identified as a race condition 
between two different failover testing processes and a lack of 
authentication for failover messages between active and standby.  The 
prior condition has been resolved and will be available in an upcoming 
version of ASA software.  These conditions are noted in CISCO bug IDs:

  * CSCsc34022 - ASA-PIX requires improved failover testing method
  * CSCsc47618 - Authenticate all messages between Active and Standby 

In an Active/Standby configuration: 

When failover LAN communications goes down {i.e. cable problem, 
switch/hub failure, interface failure, ASA software bug, etc}, the 
standby firewall sends ARP requests on each of the segments for the IP 
address of the Active firewall to see if the Active is still alive.  If 
there is a response for AT LEAST ONE of the requests, the standby will 
NOT become active (i.e. there is no failover).

This scenario can occur when:

1. Failover LAN interface fails AND you have a failure on any of the 
other traffic carrying interfaces, EXCEPT for one.

2. Failover LAN interface fails AND you have a power failure on the 
ACTIVE firewall, AND there exists an "IP address conflict" with a 
traffic carrying interface.

Here, the "IP address conflict" can be another improperly configured 
device with the same IP as assigned on a traffic carrying interface, or,

it could be an ARP spoof attack.  

During such an outage, by sending at least one ARP response to the 
standby's ARP requests an attacker can cause a "failover denial of 
service" by not allowing the standby to become active - rendering the 
failover solution ineffective.

The "interface-policy 1" command may or may not resolve this issue as 
there is a race condition between to separate processes performing two 
separate tests {i.e. one for interface failure and one for the ARP 
test}.  Depends on who gets to the finish line first.


   --== Impact ==-

It is believed the severity on this issue is low. An attacker would 
require direct access to the network segment AND there would have to be 
some form of failure on the active firewall.

All these conditions must be met for an attacker to succeed with the 
denial of service:

       1. Have some form of access to a local segment of the firewalls:
       
                A. Direct physical access to network segment to connect 
                their own system (i.e insider) OR
       
                B. Somehow inject continuous ARP reply packets onto the 
                segment via tunneling, etc. OR
       
                C. Have access to a compromised host on that segment

       2. Have a failure on the primary.

       3. Respond with spoofed ARP replies to the standby's ARP request
       test.

The likelihood that all these conditions can be met is minimal but not 
impossible as other attack methods may prove effective.


   --== Mitigation ==-

1. Prevent or correct IP address conflicts on the traffic carrying 
segments.

2. The firewall will detect and log IP address conflicts with system 
log message:

%PIX-4-405001: Received ARP response collision from <firewall IP 
address/mac address of device with duplicate IP address> on interface 
<firewall interface>.

3. Restrict via port security and/or filter ARP communications with 
ACL's based on IP type 0x0806 and 0x0835.


   --== References ==-

Additional information about IP conflict log message:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/sys
log/logmsgs.htm#wp1282234 

Configuring failover on PIX and ASA:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/con
fig/failover.htm 

Catalyst 6500 Series Cisco IOS Software Configuration Guide Configuring 
Port Security 
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura
tion_guide_chapter09186a0080160a2c.html 

Catalyst 6500 Series Software Configuration Guide 
Configuring Port Security 
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura
tion_guide_chapter09186a008022f27b.html 

LAN Security Configuration Guides 
http://www.cisco.com/en/US/tech/tk389/tk814/tech_configuration_guides_li
st.html 

Blocking ARP packets with ACL's on 2970, 3550, 3560, and 3750:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configura
tion_example09186a0080470c39.shtml

HPing packet generator
http://www.hping.org/

ARP Spoofing using DSniff:
http://naughty.monkey.org/~dugsong/dsniff/faq.html


   --== Credit ==-

Amin Tora, ePlus Security Team


   --== Contributors ==-

ePlus Security Team:

        William Zegeer
        Christopher Cole

Outside Contributors:

        John Biasi
        John Guerriero
        Frank Vitale
        Everyone at CISCO PSIRT

-------------------=========================-------------------
EOM