H Security Logo

Deadly pings for Cisco routers and switches

H Security Logo22 August 2009 | A bug in the Firewall Services Module (FWSM) software allows Cisco routers and switches to be disabled by a series of crafted ICMP packets. Catalyst 6500 series switches and Cisco 7600 series routers equipped with a Firewall Services Module are affected. All FWSM software versions 2.x, 3.x and 4.x without the specific fix for this bug are vulnerable. In a security advisory, Cisco states that processing ICMP packets can lead a processor to use all available execution threads, with the result that the system will not forward any further packets. The FSWM itself is then no longer available remotely and, if configured for failover operation, the failover may also fail.

From a story at H Security: Deadly pings for Cisco routers and switches – News – The H Security: News and features

The command show np 2 stats can be used to determine whether the problem has previously occurred. If it has the error message “ERROR: np_logger_query request for FP Stats failed” is returned. The vendor does not suggest a workaround, but has made updated versions of the FWSM software available in which the problem does not occur.

Notice in the comments:

Ok, this is just plain inaccurate.

I’m not sure who read the Cisco advisory because they did a pretty bad job at the interpretation:

1) First off, this isn’t a bug that “disables Cisco routers and switches”. This is specifically about the FIREWALL MODULE that can be installed on a 6500-switch or a 7600-series router. Just because the  module is installed on the switch/router does not mean that the entire platform is affected/disabled. Please read up on modular switches/routers to understand what that means.

2) The vendor DOES suggest a workaround (albeit not to be carried out on the FWSM itself); it may not be the most elegant, but the
workaround is to filter ICMP packets before they get to the FWSM. The
edge router would be the most suitable candidate for that and applying this filter would prevent the malicious ICMP traffic in question from reaching the vulnerable FWSM.

See also:

[Editor] And now an update: 9 September – It seems there is a problem, and now a fix:

Cisco TCP stack vulnerable to DoS attacks – News – The H Security: News and features

9 September 2009, 12:52

Cisco TCP stack vulnerable to DoS attacks

Cisco has released a software update to fix a DoS vulnerability in a number of its products. An attacker can manipulate the state of an open TCP connection so that it never times out and remains connected indefinitely. According to Cisco, such connections hang in the FINWAIT1 state.

If an attacker can achieve this with a large number of connections, they will consume sufficient resources to prevent further connections to the system being established. A reboot is required to resolve the problem. Crashes may also occur.

Cisco IOS, IOS-XE, CatOS, ASA, PIX, NX-OS and Linksys products are all affected. Precise details of which systems are affected and which are not, can be found in the vendor’s own security advisory.

The problem is not new, but has been smouldering in the TCP stacks of a number of vendors for a while and is actually a bug in the TCP protocol itself. The problem was first reported by Robert E. Lee and Jack C. Louis from Outpost24 back in October. They used a special tool to demonstrate that a low bandwidth internet connection was able to knock a broadband server off the web. Vendors have been scrabbling around for a solution ever since.

Yesterday, Microsoft too released a patch to fix this problem. Checkpoint, Juniper and other vendors have also now reacted. The Finnish CERT has now finally released details of the problem and of the Sockstress tool used, and distributed to vendors, to test the issue.

Leave a Reply

Your email address will not be published. Required fields are marked *

seven + three =