-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Response ============== This is Cisco PSIRT's response to the statements made by Amin Tora in his message: [ADVISORY] CISCO ASA Failover DoS Vulnerability, posted on November 14, 2005. The original email is available at http://www.securityfocus.com/archive/1/416544/30/0/threaded Attached is a cleartext, PGP signed version of this same email. This issue is being tracked by two Cisco Bug IDs: * CSCsc34022 -- ASA-PIX requires improved failover testing method This DDTS has been resolved and the fix will be available in an upcoming version of software. The standby firewall now validates both the IP address and MAC address of all active firewall interfaces while conducting failover ARP testing. * CSCsc47618 -- Authenticate all messages between Active and Standby Firewalls This DDTS is under investigation and while not resolved there is a workaround to mitigate the issue. We would like to thank Amin Tora for reporting this issue to us. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports. Additional Information ====================== The Release Note Enclosure for CSCsc34022 states: +------------------------------------------------ Symptom: +------- The Standby firewall in failover pair may not take over when the Active firewall loses power or crashes. Conditions: +---------- For this issue to occur, a duplicate IP address matching one of the active firewall's IP addresses must be present on the same network subnet as the firewalls when the active firewall loses power or crashes. When the active firewall loses power or crashes, the standby firewall's LAN failover interface will lose connectivity with the active firewall. This causes the standby firewall to ARP for the IP address of each active firewall interface. Because the active firewall is now unreachable, the duplicate IP address matching the active firewall will cause the standby firewall to receive a reply to the ARP attempt. Upon receiving the erroneous ARP reply, the standby firewall will believe that the active firewall is still reachable and prevent the standby firewall from taking over. Due to the timing of two concurrent failover tests, there are still cases where the standby firewall will be able to determine that the active firewall is down even when a duplicate IP address is present; however, this can not be guaranteed. Workaround: +---------- Connecting the LAN failover interfaces of the firewalls to switch ports may minimize but not completely mitigate the chance that an otherwise active firewall will lose connectivity to its LAN failover interface. Preventing or correcting IP addresses that duplicate the firewall IP addresses is a complete workaround for this issue. The firewall will detect and log duplicate IP addresses with system log message: %PIX-4-405001: Received ARP response collision from <firewall IP address/mac address of device with duplicate IP address> on interface <firewall interface>. Additional information about this syslog message is available at: http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/sys log/logmsgs.htm#wp1282234 Additional information about configuring failover in PIX and ASA 7.0 is available at: http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/con fig/failover.htm Additional information about configuring failover in FWSM 2.3 is available at: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm /fwsm_2_3/fwsm_cfg/failover.htm The Release Note Enclosure for CSCsc47618 states: +------------------------------------------------ Symptom: +------- An attacker who can spoof the IP address and MAC address of an active firewall's interface may prevent failover from occurring. Conditions: +---------- When the active firewall loses power or crashes, the standby firewall's LAN failover interface will lose connectivity with the active firewall. This causes the standby firewall to ARP for the IP address of each active firewall interface. The standby firewall will only accept the ARP response if the source MAC address matches the active firewall's interface MAC address. An attacker who can spoof the IP address and MAC address of the active firewall's interface can lead the standby firewall to believe that the active firewall is still reachable and prevent the standby firewall from taking over. Workaround: +---------- Configure port security on all switch ports configured to be in the same vlans as the active and standby firewalls enabled interfaces. Port security must not be enabled on the switch ports connected to the active and standby firewalls interfaces. Port security will prevent an attacker from spoofing the active firewall's interface MAC address allowing failover to occur normally. This configuration should be tested before being enabled in a production environment. For information on configuring port security refer to: Catalyst 6500 Series Cisco IOS Software Configuration Guide Configuring Port Security http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura tion_guide_chapter09186a0080160a2c.html Catalyst 6500 Series Software Configuration Guide Configuring Port Security http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura tion_guide_chapter09186a008022f27b.html LAN Security Configuration Guides http://www.cisco.com/en/US/tech/tk389/tk814/tech_configuration_guides_li st.html For information about layer 2 attacks and mitigations refer to: SAFE Layer 2 Security In-depth Version 2 http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_sol utions_white_paper09186a008014870f.shtml Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_poli cy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt Regards, Randy Randy Ivener Product Security Incident Response Team (PSIRT) Cisco Systems, Inc. rivener@xxxxxxxxx http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQ3kGnG4/EyDEWh8IEQKBhACbB6PVS/9UY3puPDYx5TZLxgkUp9IAoJem ExnCz+YJioSK6OOENgSorGa5 =Or3I -----END PGP SIGNATURE-----
Attachment:
cisco-bugtraq-pix-failover.txt.asc
Description: cisco-bugtraq-pix-failover.txt.asc