Cisco firewall falls for forged packets

Cisco is urging users to update their firewall software after it emerged that a Secure PIX Firewall cannot distinguish between a forged and a genuine reset packet.

As a result of the problem, which was discovered by a Cisco customer, any Cisco Secure PIX Firewall that provides external access to the internet is potentially vulnerable to the disruption of individual sessions. The problem tarnishes Cisco reputation for security, which has been hit by a series of flaws to its router software and firewall in recent months.

In a security notice to customers, Cisco said: "Any TCP/IP connection established through the Cisco Secure PIX Firewall can be terminated by a third party from the untrusted network if the connection can be uniquely determined. This vulnerability is independent of configuration. There is no workaround."

According to Cisco, to exploit the vulnerability an attacker would have to infer knowledge of internal firewall configuration or detailed knowledge of the source and destination IP ports associated with the particular connection being targeted. The problem affects only TCP sessions - not data exchange based on any other protocol, the network giant added.

The vulnerability exists in all Cisco Secure PIX Firewall software releases up to and including 4.2(5), 4.4(4), 5.0(3) and 5.1(1). Cisco is urging users to upgrade software to a fixed version which checks for a valid sequence number before removing a connection from the connection state table.

The company is seeking to play down the problem by stating that it has received no reports of malicious exploitation of the vulnerability.

However, Cisco has conceded that the upgrade, which can involve up to 128Mb of software, may be difficult for some users.

Its product security team has advised users that "it is important to be certain that the new version of Cisco Secure PIX Firewall software is supported by your hardware and especially that enough memory is available".

Security issues involving other leading firewall makers, including Check Point Software and Network Associates, have also come to light in recent months.

Peter Crowcombe, of Infonetics Research, said that users are under strain to deal with the volume of security issues they face and a different approach might be called for.

"Should users be doing their own security or buying it as a service with service-level agreements that can be measured and compensation paid if there is a breach? I think the managed service approach could be the answer for many companies," said Crowcombe.

When the Cisco Secure PIX Firewall receives a TCP Reset (RST) packet, it examines that packet based on data contained in the TCP packet header such as source IP address, source port, destination IP address, and destination port. If these four values match an entry in the stateful inspection table, the associated connection will be reset.