Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0290 -- [Cisco]
DHCP Relay Agent Vulnerability in Cisco PIX and ASA Appliances
3 May 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Pix
Cisco ASA
Publisher: Cisco Systems
Operating System: Cisco PIX Software Version 7.2(2.14) and prior
Cisco Adaptive Security Appliance Software Version
7.2(2.14) and prior
Impact: Denial of Service
Access: Remote/Unauthenticated
Original Bulletin:
http://www.cisco.com/warp/public/707/cisco-sr-20070502-pix.shtml
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Response: DHCP Relay Agent Vulnerability in Cisco PIX
and ASA Appliances
http://www.cisco.com/warp/public/707/cisco-sr-20070502-pix.shtml
Revision 1.0
For Public Release 2007 May 02 1600 UTC (GMT)
- - ------------------------------------------------------------------------
Cisco Response
==============
This is a Cisco response to a CERT/CC advisory posted on May 2, 2007,
entitled "Cisco ASA fails to properly process DHCP relay packets". This
advisory is available a the following link:
http://www.kb.cert.org/vuls/id/530057
Cisco confirms the memory exhaustion vulnerability as per the advisory
published by CERT/CC and confirms this vulnerability impacts the PIX
and ASA appliance for system software 7.2 only. Exploitation of the
vulnerability may lead to a Denial of Service condition against the
appliance.
The firewall services module (FWSM) is not affected by this
vulnerability.
PSIRT would like to thank Grant Deffenbaugh and Lisa Sittler from the
CERT/CC for reporting this vulnerability to us.
We greatly appreciate the opportunity to work with researchers on
security vulnerabilities, and welcome the opportunity to review and
assist in security vulnerability reports against Cisco products.
Additional Information
======================
The DHCP protocol supplies automatic configuration parameters such as
an IP address, subnet mask, default gateway, DNS server address, and
WINS address to hosts. Initially, DHCP clients have none of these
configuration parameters. They obtain this information by sending a
broadcast request for it. When a DHCP server sees this request, the
DHCP server supplies the necessary information. Layer 3 devices such
as routers and firewalls do not typically forward these broadcast
requests by default.
In situations where it is not convenient to locate DHCP clients and
DHCP servers upon the same subnet, PIX and ASA security appliances
provide means for the use of a DHCP relay mechanism. When the DHCP
relay agent receives the initial DHCPDISCOVER broadcast message on
its configured listening interface from a DHCP client, it forwards
the request to all of the specified DHCP server(s) located on another
configured interface. The DHCP server(s) reply with a DHCPOFFER
message, which the DHCP relay agent in turn forwards to the original
DHCP client. The DHCP client then responds with a DHCPREQUEST
broadcast message to select a specific DHCP proposal, which the DHCP
relay agent also forwards to all of the DHCP server(s). The DHCP
server with the selected lease then returns a DHCPACK, also
forwarded by the DHCP relay agent, to tell the DHCP client that the
lease is finalized.
If a client has obtained a network address through some other means
(e.g., manual configuration), it may use a DHCPINFORM request message
to obtain other local configuration parameters, which the DHCP relay
agent also forwards to all of the DHCP server(s). The DHCP server(s)
receiving the DHCPINFORM then return a DHCPACK message with any local
configuration parameters appropriate for the client, also forwarded
by the DHCP relay agent.
Thus, the DHCP relay agent acts as a proxy for the DHCP client in its
conversation with the DHCP server(s).
A vulnerability exists in the PIX and ASA appliance system software
configured for DHCP relay agent functionality, where DHCPACK messages
received from multiple DHCP servers in response to a DHCP client
DHCPREQUEST or DHCPINFORM message may cause the 1550 byte block
Memory (Used to store Ethernet packets for processing through the
security appliance) to be consumed. This may occur during normal
device operations where affected versions are configured with more
than one DHCP server via the "dhcprelay server" command. Once the
1550 byte block memory has been fully exhausted the appliance will
start dropping packets and result in no packets being forwarding.
Systems configured with only a single DHCP server via the "dhcprelay
Server" command are not vulnerable.
This vulnerability is documented in Cisco Bug ID: CSCsh50277.
This vulnerability affects system software versions 7.2(1) through
7.2(2.14) inclusive.
Cisco has provided fixed system software - 7.2(2.15) or later, which
is available for download from:
ASA: http://www.cisco.com/cgi-bin/tablebuild.pl/asa-interim
PIX: http://www.cisco.com/cgi-bin/tablebuild.pl/pix-interim
To determine if a PIX or ASA appliance is configured to use the DHCP
relay agent feature, log in to the appliance and issue the command
line interface (CLI) command "show dhcprelay state". Systems
returning information other than "not Configured for DHCP" are
vulnerable. Alternatively, log in to the appliance and issue the
CLI command "show running-config dhcprelay".
The following examples show an appliance not configured for DHCP
relay agent:
pix#show dhcprelay state
Context Not Configured for DHCP
Interface outside, Not Configured for DHCP
Interface inside, Not Configured for DHCP
pix#
asa#show dhcprelay state
Not Configured for DHCP
asa#
The following example shows an appliance configured for DHCP relay
agent:
asa#show dhcprelay state
Context Configured as DHCP Relay
Interface outside, Configured for DHCP RELAY
Interface inside, Configured for DHCP RELAY SERVER
asa#
The following example shows confirmation of an appliance configured
for DHCP relay agent via the show running-config CLI command (An
appliance not configured for DHCP relay agent will return nothing):
asa#show running-config dhcprelay
dhcprelay server 10.2.1.2 outside
dhcprelay enable inside
dhcprelay timeout 60
asa#
The following example shows a response from an appliance not
configured for DHCP relay agent:
asa#show running-config dhcprelay
asa#
Workarounds
+----------
There are no workarounds for this vulnerability.
Having a single dhcprelay server configured as per the
"dhcprelay server" command will prevent this vulnerability from being
seen under normal operating conditions.
Provided below is an example of a device running with two dhcprelay
servers configured, and applying the mitigation.
asa#show running-config dhcprelay
dhcprelay server 192.168.200.210 inside
dhcprelay server 192.168.200.200 inside
dhcprelay enable outside
dhcprelay timeout 60
asa(config)# no dhcprelay server 192.168.200.210 inside
asa(config)# exit
asa#
asa#show running-config dhcprelay
dhcprelay server 192.168.200.200 inside
dhcprelay enable outside
dhcprelay timeout 60
asa#
Any DHCP packet received on an interface not configured with a
"dhcprelay server" command or "dhcprelay enable" will be dropped by
the firewall.
Depending on your network environment the use of ACLs or
implementation of Anti-spoofing protections in the form of
Infrastructure ACLs (iACLs) or Unicast Reverse Path Forwarding
(Unicast RPF) will further mitigate the possibility of malicious
exploitation from sources behind the interfaces configured with
"dhcprelay server" command. More information on iACLs is available at
Protecting Your Core:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper0918
6a00801a1a55.shtml.
For information regarding Unicast RPF please see IETF Best Current
Practice 84, "Ingress Filtering for Multihomed Networks", at
http://www.ietf.org/rfc/bcp/bcp84.txt
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2007-May-2 | Initial public release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGOKSf8NUAbBmDaxQRAiauAJ4rFEcCeoTK8y7LtbDbXLe9zSyeYACfXir0
R6D+CzPEeQ6fgxm9qCUb33s=
=1RHd
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRjk2Dih9+71yA2DNAQKOaQP9EsKS86k/U0jxmL8hh8W0bxcjkPb9FX35
Ay2OKemSkQ8n4DMz1oSz4Q4PhD4v3XyJUuLJ/9qxAKy+4dmSL+qtUmDoT2+4Wc6S
IjF75ZQOqaap9NwG2vdQZjBE0EGe8PakY/UKfYDg6Cm58oyNBv5KvdyWmNYuDRol
Czyh5xXOFV0=
=GLRD
-----END PGP SIGNATURE-----