The complete list is given in the Software Versions and Fixes section of this advisory. Affected hardware models are: Cisco routers in the following series: , , , , , , , , , Gateway, , , , , , SOHO 70, ubr, ICS Products Confirmed Not Vulnerable No other Cisco products are currently known to be affected by these vulnerabilities. It is also a stateful system; it keeps information about connections that last beyond the lifetime of a single packet. If configured, CBAC maintains session information based on packets examined. When a session is initiated from the protected network, CBAC creates a dynamic access list entry allowing return traffic for that session.
|Published (Last):||1 September 2009|
|PDF File Size:||13.96 Mb|
|ePub File Size:||8.95 Mb|
|Price:||Free* [*Free Regsitration Required]|
The complete list is given in the Software Versions and Fixes section of this advisory. Affected hardware models are: Cisco routers in the following series: , , , , , , , , , Gateway, , , , , , SOHO 70, ubr, ICS Products Confirmed Not Vulnerable No other Cisco products are currently known to be affected by these vulnerabilities. It is also a stateful system; it keeps information about connections that last beyond the lifetime of a single packet.
If configured, CBAC maintains session information based on packets examined. When a session is initiated from the protected network, CBAC creates a dynamic access list entry allowing return traffic for that session. Upon inspection of the return traffic through a dynamic access list, source and destination addresses and ports are checked, however IP protocol type is not checked. This could allow a packet of different protocol type into the protected network.
Workarounds There is no workaround. Fixed Software Each row of the table describes a release train and the platforms or products for which it is intended.
If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the "Rebuild," "Interim," and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column less than the earliest fixed release is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version greater than the earliest fixed release label.
When selecting a release, keep in mind the following definitions: Maintenance - Most heavily tested and highly recommended release of any label in a given row of the table. Rebuild - Constructed from the previous maintenance or major release in the same train, it contains the fix for a specific defect. Although it receives less testing, it contains only the minimal changes necessary to effect the repair.
Interim - Built at regular intervals between maintenance releases and receives less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability.
Interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available via manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco TAC. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release.
If the information is not clear, contact the Cisco TAC for assistance as shown in the following section.
Cisco PIX and CBAC Fragmentation Attack
This section provides detailed information about these vulnerabilities. Static NAT table entries are created with the PIX Firewall static command, and dynamic entries are created by inside hosts initiating IP traffic exchanges with outside hosts. No checks are made as to whether or not non-initial fragments belong to actual existing connections, so it is possible for any outside host to send fragments to any inside host that has a NAT entry, regardless of whether or not there is a connection between the two hosts, and regardless of whether a conduit is configured. Any non-initial fragment will be discarded unless the corresponding initial fragment was permitted to pass through the firewall. Non-initial fragments received before the corresponding initial fragments will be discarded.
A Vulnerability in IOS Firewall Feature Set
Only specified protocols will be inspected by CBAC. Packets entering the firewall are inspected by CBAC only if they first pass the inbound access list at the input interface and outbound access list at the output interface. If a packet is denied by the access list, the packet is simply dropped and not inspected by CBAC. CBAC inspection tracks sequence numbers in all TCP packets, and drops those packets with sequence numbers that are not within expected ranges.
Security Configuration Guide: Context-Based Access Control Firewall, Cisco IOS Release 12.4T
Outgoing ping commands require echo-reply messages to come back. If a router cannot forward or deliver a datagram, it sends an ICMP unreachable message back to the source and drops the datagram. This is known as anti-spoofing protection because it prevents traffic from an unprotected network from assuming the identity of a device on the protected network. This entry helps to prevent broadcast attacks. Although this is the default setting, this final deny statement is not shown by default in an access list.