Subject: [ADVISORY] CISCO ASA Failover DoS Vulnerability
Date: Mon, 14 Nov 2005 00:19:07 -0500
Message-ID: <3CD2141A07CCC6448D1C4F1832118F1E4DDC76@EPMAIL.epgpdom.com.>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [ADVISORY] CISCO ASA Failover DoS Vulnerability
Thread-Index: AcXo2vy/Bs4fXmlhTG+PqkPvHA3VQw==
From: "Amin Tora" <atora@EPLUS.com.>
To: <bugtraq@securityfocus.com.>
Cc: <cert@cert.org.>, <psirt@cisco.com.>, <vuln@frsirt.com.>
X-Virus-Scanned: by Eplus SPAM Firewall at eplus.com
X-Barracuda-Bayes: INNOCENT GLOBAL 0.4312 1.0000 0.0000
INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000;INNOCENT GLOBAL 0.4312 1.0000 0.0000
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=3.5 KILL_LEVEL=1000.0 tests=
X-Barracuda-Spam-Report: Code version 3.02, rules version 3.0.5272
Rule breakdown below pts rule name description
---- ---------------------- --------------------------------------------------
X-Virus-Scanned: antivirus-gw at tyumen.ru
-------------------=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D-------------------
Advisory : EPSIRT 051028-ASA01
Title : CISCO ASA Failover DoS Vulnerability
Release : November 14, 2005
Author : Amin Tora
Severity : Denial of Service
Risk Level: Low
Product : CISCO Adaptive Security Appliances
running: 7.0(0), 7.0(2), 7.0(4)
-------------------=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D-------------------
--=3D=3D Overview =3D=3D-
A possible denial of service against failover can occur due to a race=20
condition when there is an IP conflict or spoofed ARP response upon=20
active firewall failure.
--=3D=3D Details =3D=3D-
An inherent weakness in the CISCO ASA failover testing algorithm and=20
methodology was identified and noted to CISCO TAC and PSIRT. In=20
general, the two weaknesses have been identified as a race condition=20
between two different failover testing processes and a lack of=20
authentication for failover messages between active and standby. The=20
prior condition has been resolved and will be available in an upcoming=20
version of ASA software. These conditions are noted in CISCO bug IDs:
* CSCsc34022 - ASA-PIX requires improved failover testing method
* CSCsc47618 - Authenticate all messages between Active and Standby=20
In an Active/Standby configuration:=20
When failover LAN communications goes down {i.e. cable problem,=20
switch/hub failure, interface failure, ASA software bug, etc}, the=20
standby firewall sends ARP requests on each of the segments for the IP=20
address of the Active firewall to see if the Active is still alive. If=20
there is a response for AT LEAST ONE of the requests, the standby will=20
NOT become active (i.e. there is no failover).
This scenario can occur when:
1. Failover LAN interface fails AND you have a failure on any of the=20
other traffic carrying interfaces, EXCEPT for one.
2. Failover LAN interface fails AND you have a power failure on the=20
ACTIVE firewall, AND there exists an "IP address conflict" with a=20
traffic carrying interface.
Here, the "IP address conflict" can be another improperly configured=20
device with the same IP as assigned on a traffic carrying interface, or,
it could be an ARP spoof attack. =20
During such an outage, by sending at least one ARP response to the=20
standby's ARP requests an attacker can cause a "failover denial of=20
service" by not allowing the standby to become active - rendering the=20
failover solution ineffective.
The "interface-policy 1" command may or may not resolve this issue as=20
there is a race condition between to separate processes performing two=20
separate tests {i.e. one for interface failure and one for the ARP=20
test}. Depends on who gets to the finish line first.
--=3D=3D Impact =3D=3D-
It is believed the severity on this issue is low. An attacker would=20
require direct access to the network segment AND there would have to be=20
some form of failure on the active firewall.
All these conditions must be met for an attacker to succeed with the=20
denial of service:
1. Have some form of access to a local segment of the firewalls:
=20
A. Direct physical access to network segment to connect=20
their own system (i.e insider) OR
=20
B. Somehow inject continuous ARP reply packets onto the=20
segment via tunneling, etc. OR
=20
C. Have access to a compromised host on that segment
2. Have a failure on the primary.
3. Respond with spoofed ARP replies to the standby's ARP request
test.
The likelihood that all these conditions can be met is minimal but not=20
impossible as other attack methods may prove effective.
--=3D=3D Mitigation =3D=3D-
1. Prevent or correct IP address conflicts on the traffic carrying=20
segments.
2. The firewall will detect and log IP address conflicts with system=20
log message:
%PIX-4-405001: Received ARP response collision from <firewall IP=20
address/mac address of device with duplicate IP address> on interface=20
<firewall interface>.
3. Restrict via port security and/or filter ARP communications with=20
ACL's based on IP type 0x0806 and 0x0835.
--=3D=3D References =3D=3D-
Additional information about IP conflict log message:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/sys
log/logmsgs.htm#wp1282234=20
Configuring failover on PIX and ASA:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/con
fig/failover.htm=20
Catalyst 6500 Series Cisco IOS Software Configuration Guide Configuring=20
Port Security=20
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura
tion_guide_chapter09186a0080160a2c.html=20
Catalyst 6500 Series Software Configuration Guide=20
Configuring Port Security=20
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura
tion_guide_chapter09186a008022f27b.html=20
LAN Security Configuration Guides=20
http://www.cisco.com/en/US/tech/tk389/tk814/tech_configuration_guides_li
st.html=20
Blocking ARP packets with ACL's on 2970, 3550, 3560, and 3750:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configura
tion_example09186a0080470c39.shtml
HPing packet generator
http://www.hping.org/
ARP Spoofing using DSniff:
http://naughty.monkey.org/~dugsong/dsniff/faq.html
--=3D=3D Credit =3D=3D-
Amin Tora, ePlus Security Team
--=3D=3D Contributors =3D=3D-
ePlus Security Team:
William Zegeer
Christopher Cole
Outside Contributors:
John Biasi
John Guerriero
Frank Vitale
Everyone at CISCO PSIRT
-------------------=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D-------------------
EOM
