- Posts: 181
- Thank you received: 0
Cisco Asa Multiple Failover Dos Vulnerabilities
18 years 11 months ago #11741
by ping
The greatest pleasure in life is doing what people say you can not do..!!
Cisco Asa Multiple Failover Dos Vulnerabilities was created by ping
THIS ARTICLE WAS ORIGNALY POSTED BY 320X IN GOVERNMENTSECURITY.ORG
"The Cisco ASA 5500 Series Adaptive Security Appliance is a high-performance, multifunction security appliance family delivering converged firewall, IPS, network anti-virus and VPN services. "
When attacker makes crafted ARP packet that conflicts with Cisco ASA IP or when Cisco ASA is spoofed with ARP packets, it is possible to cause a DoS and bypass Cisco ASA firewall.
Credit:
The information has been provided by Amin Tora and Randy Ivener
Details
Vulnerable Systems:
* Cisco Adaptive Security Appliances version 7.0.0
* Cisco Adaptive Security Appliances version 7.0.2
* Cisco Adaptive Security Appliances version 7.0.4
An inherent weakness in the Cisco ASA failover testing algorithm and methodology was identified and noted to Cisco TAC and PSIRT. In general, the two weaknesses have been identified as a race condition between two different failover testing processes and a lack of authentication for failover messages between active and standby.
These conditions are noted in Cisco bug IDs:
* CSCsc34022 - ASA-PIX requires improved failover testing method
* CSCsc47618 - Authenticate all messages between Active and Standby
In an Active/Standby configuration:
When failover LAN communications goes down {i.e. cable problem, switch/hub failure, interface failure, ASA software bug, etc}, the standby firewall sends ARP requests on each of the segments for the IP address of the Active firewall to see if the Active is still alive. If there is a response for AT LEAST ONE of the requests, the standby will NOT become active (i.e. there is no failover).
For this issue to occur, a duplicate IP address matching one of the active firewall's IP addresses must be present on the same network subnet as the firewalls when the active firewall loses power or crashes.
When the active firewall loses power or crashes, the standby firewall's LAN failover interface will lose connectivity with the active firewall. This causes the standby firewall to ARP for the IP address of each active firewall interface. Because the active firewall is now unreachable, the duplicate IP address matching the active firewall will cause the standby firewall to receive a reply to the ARP attempt. Upon receiving the erroneous ARP reply, the standby firewall will believe that the active firewall is still reachable and prevent the standby firewall from taking over.
Due to the timing of two concurrent failover tests, there are still cases where the standby firewall will be able to determine that the active firewall is down even when a duplicate IP address is present; however, this can not be guaranteed.
Workaround:
Connecting the LAN failover interfaces of the firewalls to switch ports may minimize but not completely mitigate the chance that an otherwise active firewall will lose connectivity to its LAN failover interface.
Preventing or correcting IP addresses that duplicate the firewall IP addresses is a complete workaround for this issue.
The firewall will detect and log duplicate IP addresses with system log message:
%PIX-4-405001: Received ARP response collision from <firewall IP address/mac address of device with duplicate IP address> on interface <firewall interface>.
Additional information about this syslog message is available at: System Log Messages
Additional information about configuring failover in PIX and ASA 7.0 is available at:
www.cisco.com/univercd/cc/td/doc/pr...ig/failover.htm
Additional information about configuring failover in FWSM 2.3 is available at:
Using Failover
The Release Note Enclosure for CSCsc47618 states:
An attacker who can spoof the IP address and MAC address of an active firewall's interface may prevent failover from occurring.
When the active firewall loses power or crashes, the standby firewall's LAN failover interface will lose connectivity with the active firewall. This causes the standby firewall to ARP for the IP address of each active firewall interface. The standby firewall will only accept the ARP response if the source
MAC address matches the active firewall's interface MAC address. An attacker who can spoof the IP address and MAC address of the active firewall's interface can lead the standby firewall to believe that the active firewall is still reachable and prevent the standby firewall from taking over.
Workaround:
Configure port security on all switch ports configured to be in the same vlans as the active and standby firewalls enabled interfaces. Port security must not be enabled on the switch ports connected to the active and standby firewalls interfaces.
Port security will prevent an attacker from spoofing the active firewall's interface MAC address allowing failover to occur normally.
This configuration should be tested before being enabled in a production environment.
For information on configuring port security refer to:
Catalyst 6500 Series Cisco IOS Software Configuration Guide Configuring Port Security Configuring Port Security
Catalyst 6500 Series Software Configuration Guide Configuring Port Security
Configuring Port Security
LAN Security Configuration Guides
www.cisco.com/en/US/tech/tk389/tk81...uides_list.html
For information about layer 2 attacks and mitigations refer to:
SAFE Layer 2 Security In-depth Version 2: SAFE Layer 2 Security In-depth Version 2
Cheers..
~Pranav
"The Cisco ASA 5500 Series Adaptive Security Appliance is a high-performance, multifunction security appliance family delivering converged firewall, IPS, network anti-virus and VPN services. "
When attacker makes crafted ARP packet that conflicts with Cisco ASA IP or when Cisco ASA is spoofed with ARP packets, it is possible to cause a DoS and bypass Cisco ASA firewall.
Credit:
The information has been provided by Amin Tora and Randy Ivener
Details
Vulnerable Systems:
* Cisco Adaptive Security Appliances version 7.0.0
* Cisco Adaptive Security Appliances version 7.0.2
* Cisco Adaptive Security Appliances version 7.0.4
An inherent weakness in the Cisco ASA failover testing algorithm and methodology was identified and noted to Cisco TAC and PSIRT. In general, the two weaknesses have been identified as a race condition between two different failover testing processes and a lack of authentication for failover messages between active and standby.
These conditions are noted in Cisco bug IDs:
* CSCsc34022 - ASA-PIX requires improved failover testing method
* CSCsc47618 - Authenticate all messages between Active and Standby
In an Active/Standby configuration:
When failover LAN communications goes down {i.e. cable problem, switch/hub failure, interface failure, ASA software bug, etc}, the standby firewall sends ARP requests on each of the segments for the IP address of the Active firewall to see if the Active is still alive. If there is a response for AT LEAST ONE of the requests, the standby will NOT become active (i.e. there is no failover).
For this issue to occur, a duplicate IP address matching one of the active firewall's IP addresses must be present on the same network subnet as the firewalls when the active firewall loses power or crashes.
When the active firewall loses power or crashes, the standby firewall's LAN failover interface will lose connectivity with the active firewall. This causes the standby firewall to ARP for the IP address of each active firewall interface. Because the active firewall is now unreachable, the duplicate IP address matching the active firewall will cause the standby firewall to receive a reply to the ARP attempt. Upon receiving the erroneous ARP reply, the standby firewall will believe that the active firewall is still reachable and prevent the standby firewall from taking over.
Due to the timing of two concurrent failover tests, there are still cases where the standby firewall will be able to determine that the active firewall is down even when a duplicate IP address is present; however, this can not be guaranteed.
Workaround:
Connecting the LAN failover interfaces of the firewalls to switch ports may minimize but not completely mitigate the chance that an otherwise active firewall will lose connectivity to its LAN failover interface.
Preventing or correcting IP addresses that duplicate the firewall IP addresses is a complete workaround for this issue.
The firewall will detect and log duplicate IP addresses with system log message:
%PIX-4-405001: Received ARP response collision from <firewall IP address/mac address of device with duplicate IP address> on interface <firewall interface>.
Additional information about this syslog message is available at: System Log Messages
Additional information about configuring failover in PIX and ASA 7.0 is available at:
www.cisco.com/univercd/cc/td/doc/pr...ig/failover.htm
Additional information about configuring failover in FWSM 2.3 is available at:
Using Failover
The Release Note Enclosure for CSCsc47618 states:
An attacker who can spoof the IP address and MAC address of an active firewall's interface may prevent failover from occurring.
When the active firewall loses power or crashes, the standby firewall's LAN failover interface will lose connectivity with the active firewall. This causes the standby firewall to ARP for the IP address of each active firewall interface. The standby firewall will only accept the ARP response if the source
MAC address matches the active firewall's interface MAC address. An attacker who can spoof the IP address and MAC address of the active firewall's interface can lead the standby firewall to believe that the active firewall is still reachable and prevent the standby firewall from taking over.
Workaround:
Configure port security on all switch ports configured to be in the same vlans as the active and standby firewalls enabled interfaces. Port security must not be enabled on the switch ports connected to the active and standby firewalls interfaces.
Port security will prevent an attacker from spoofing the active firewall's interface MAC address allowing failover to occur normally.
This configuration should be tested before being enabled in a production environment.
For information on configuring port security refer to:
Catalyst 6500 Series Cisco IOS Software Configuration Guide Configuring Port Security Configuring Port Security
Catalyst 6500 Series Software Configuration Guide Configuring Port Security
Configuring Port Security
LAN Security Configuration Guides
www.cisco.com/en/US/tech/tk389/tk81...uides_list.html
For information about layer 2 attacks and mitigations refer to:
SAFE Layer 2 Security In-depth Version 2: SAFE Layer 2 Security In-depth Version 2
Cheers..
~Pranav
The greatest pleasure in life is doing what people say you can not do..!!
Time to create page: 0.116 seconds