RE: [ADVISORY] CISCO ASA Failover DoS Vulnerability

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: [ADVISORY] CISCO ASA Failover DoS Vulnerability
From: "Randy Ivener (rivener)" <rivener@xxxxxxxxx>
Date: Mon, 14 Nov 2005 13:50:24 -0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcXpVjVoit663AZeTUehFbEwiLjEywADvskg
Thread-topic: [ADVISORY] CISCO ASA Failover DoS Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Response
==============

This is Cisco PSIRT's response to the statements made by Amin Tora in
his
message: [ADVISORY] CISCO ASA Failover DoS Vulnerability, posted on 
November 14, 2005.

The original email is available at
http://www.securityfocus.com/archive/1/416544/30/0/threaded

Attached is a cleartext, PGP signed version of this same email.

This issue is being tracked by two Cisco Bug IDs:

 * CSCsc34022 -- ASA-PIX requires improved failover testing method

This DDTS has been resolved and the fix will be available in an upcoming
version of software. The standby firewall now validates both the IP
address and
MAC address of all active firewall interfaces while conducting failover
ARP
testing.

 * CSCsc47618 -- Authenticate all messages between Active and Standby
Firewalls

This DDTS is under investigation and while not resolved there is a
workaround to 
mitigate the issue.


We would like to thank Amin Tora for reporting this issue to us.

We greatly appreciate the opportunity to work with researchers on
security
vulnerabilities, and welcome the opportunity to review and assist in
product
reports.


Additional Information
======================

The Release Note Enclosure for CSCsc34022 states:
+------------------------------------------------

Symptom:
+-------

The Standby firewall in failover pair may not take over when the Active
firewall loses power or crashes.


Conditions:
+----------

For this issue to occur, a duplicate IP address matching one of the
active
firewall's IP addresses must be present on the same network subnet as
the
firewalls when the active firewall loses power or crashes.

When the active firewall loses power or crashes, the standby firewall's
LAN
failover interface will lose connectivity with the active firewall. This
causes
the standby firewall to ARP for the IP address of each active firewall
interface. Because the active firewall is now unreachable, the duplicate
IP
address matching the active firewall will cause the standby firewall to
receive
a reply to the ARP attempt. Upon receiving the erroneous  ARP reply, the
standby firewall will believe that the active firewall is still
reachable and
prevent the standby firewall from taking over.

Due to the timing of two concurrent failover tests, there are still
cases where
the standby firewall will be able to determine that the active firewall
is down
even when a duplicate IP address is present; however, this can not be
guaranteed.


Workaround:
+----------

Connecting the LAN failover interfaces of the firewalls to switch ports
may
minimize but not completely mitigate the chance that an otherwise active
firewall will lose connectivity to its LAN failover interface.

Preventing or correcting IP addresses that duplicate the firewall IP
addresses
is a complete workaround for this issue.

The firewall will detect and log duplicate IP addresses with system log
message:

%PIX-4-405001: Received ARP response collision from <firewall IP
address/mac
address of device with duplicate IP address> on interface <firewall
interface>.

Additional information about this syslog message is available at:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/sys
log/logmsgs.htm#wp1282234

Additional information about configuring failover in PIX and ASA 7.0 is
available at:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/con
fig/failover.htm

Additional information about configuring failover in FWSM 2.3 is
available at:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm
/fwsm_2_3/fwsm_cfg/failover.htm


The Release Note Enclosure for CSCsc47618 states:
+------------------------------------------------

Symptom:
+-------

An attacker who can spoof the IP address and MAC address of an active
firewall's interface may prevent failover from occurring.

Conditions:
+----------

When the active firewall loses power or crashes, the standby firewall's
LAN
failover interface will lose connectivity with the active firewall. This
causes
the standby firewall to ARP for the IP address of each active firewall
interface. The standby firewall will only accept the ARP response if the
source
MAC address matches the active firewall's interface MAC address. An
attacker
who can spoof the IP address and MAC address of the active firewall's
interface
can lead the standby firewall to believe that the active firewall is
still
reachable and prevent the standby firewall from taking over.

Workaround:
+----------

Configure port security on all switch ports configured to be in the same
vlans
as the active and standby firewalls enabled interfaces. Port security
must not
be enabled on the switch ports connected to the active and standby
firewalls
interfaces.

Port security will prevent an attacker from spoofing the active
firewall's
interface MAC address allowing failover to occur normally.

This configuration should be tested before being enabled in a production
environment.

For information on configuring port security refer to:
   
Catalyst 6500 Series Cisco IOS Software Configuration Guide
Configuring Port Security
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura
tion_guide_chapter09186a0080160a2c.html


Catalyst 6500 Series Software Configuration Guide
Configuring Port Security
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura
tion_guide_chapter09186a008022f27b.html

LAN Security
Configuration Guides
http://www.cisco.com/en/US/tech/tk389/tk814/tech_configuration_guides_li
st.html

For information about layer 2 attacks and mitigations refer to:

SAFE Layer 2 Security In-depth Version 2
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_sol
utions_white_paper09186a008014870f.shtml


Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's worldwide
website at 
http://www.cisco.com/en/US/products/products_security_vulnerability_poli
cy.html

This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at 
http://www.cisco.com/go/psirt



Regards, 
Randy 

Randy Ivener
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
rivener@xxxxxxxxx 
http://www.cisco.com/go/psirt


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQ3kGnG4/EyDEWh8IEQKBhACbB6PVS/9UY3puPDYx5TZLxgkUp9IAoJem
ExnCz+YJioSK6OOENgSorGa5
=Or3I
-----END PGP SIGNATURE-----

Attachment: cisco-bugtraq-pix-failover.txt.asc
Description: cisco-bugtraq-pix-failover.txt.asc

Prev by Date: iDefense Security Advisory 11.11.05: Multiple Vendor Lynx Command Injection Vulnerability
Next by Date: [SECURITY] [DSA 894-1] New AbiWord packages fix arbitrary code execution
Previous by thread: [ADVISORY] CISCO ASA Failover DoS Vulnerability
Next by thread: [SECURITY] [DSA 895-1] New uim packages fix privilege escalation
Index(es):
- Date
- Thread