[NEWS] Cisco ASA Multiple Failover DoS Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco ASA Multiple Failover DoS Vulnerabilities
------------------------------------------------------------------------


SUMMARY

"The  <http://www.cisco.com/en/US/products/ps6120/> Cisco ASA 5500 Series 
Adaptive Security Appliance is a high-performance, multifunction security 
appliance family delivering converged firewall, IPS, network anti-virus 
and VPN services. "

When attacker makes crafted ARP packet that conflicts with Cisco ASA IP or 
when Cisco ASA is spoofed with ARP packets, it is possible to cause a DoS 
and bypass Cisco ASA firewall.

DETAILS

Vulnerable Systems:
 * Cisco Adaptive Security Appliances version 7.0.0
 * Cisco Adaptive Security Appliances version 7.0.2
 * Cisco Adaptive Security Appliances version 7.0.4

An inherent weakness in the Cisco ASA failover testing algorithm and 
methodology was identified and noted to Cisco TAC and PSIRT. In general, 
the two weaknesses have been identified as a race condition between two 
different failover testing processes and a lack of authentication for 
failover messages between active and standby.

These conditions are noted in Cisco bug IDs:
 * CSCsc34022 - ASA-PIX requires improved failover testing method
 * CSCsc47618 - Authenticate all messages between Active and Standby

In an Active/Standby configuration:
When failover LAN communications goes down {i.e. cable problem, switch/hub 
failure, interface failure, ASA software bug, etc}, the standby firewall 
sends ARP requests on each of the segments for the IP address of the 
Active firewall to see if the Active is still alive. If there is a 
response for AT LEAST ONE of the requests, the standby will NOT become 
active (i.e. there is no failover).

For this issue to occur, a duplicate IP address matching one of the active 
firewall's IP addresses must be present on the same network subnet as the 
firewalls when the active firewall loses power or crashes.

When the active firewall loses power or crashes, the standby firewall's 
LAN failover interface will lose connectivity with the active firewall. 
This causes the standby firewall to ARP for the IP address of each active 
firewall interface. Because the active firewall is now unreachable, the 
duplicate IP address matching the active firewall will cause the standby 
firewall to receive a reply to the ARP attempt. Upon receiving the 
erroneous  ARP reply, the standby firewall will believe that the active 
firewall is still reachable and prevent the standby firewall from taking 
over.

Due to the timing of two concurrent failover tests, there are still cases 
where the standby firewall will be able to determine that the active 
firewall is down even when a duplicate IP address is present; however, 
this can not be guaranteed.

Workaround:
Connecting the LAN failover interfaces of the firewalls to switch ports 
may minimize but not completely mitigate the chance that an otherwise 
active firewall will lose connectivity to its LAN failover interface.

Preventing or correcting IP addresses that duplicate the firewall IP 
addresses is a complete workaround for this issue.
The firewall will detect and log duplicate IP addresses with system log 
message:
%PIX-4-405001: Received ARP response collision from <firewall IP 
address/mac address of device with duplicate IP address> on interface 
<firewall interface>.

Additional information about this syslog message is available at:  
<http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/syslog/logmsgs.htm#wp1282234>
 System Log Messages
Additional information about configuring failover in PIX and ASA 7.0 is 
available at:
 
<http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm>
 
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm
Additional information about configuring failover in FWSM 2.3 is available 
at:
 
<http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/failover.htm>
 Using Failover

The Release Note Enclosure for CSCsc47618 states:
An attacker who can spoof the IP address and MAC address of an active 
firewall's interface may prevent failover from occurring.

When the active firewall loses power or crashes, the standby firewall's 
LAN failover interface will lose connectivity with the active firewall. 
This causes the standby firewall to ARP for the IP address of each active 
firewall interface. The standby firewall will only accept the ARP response 
if the source
MAC address matches the active firewall's interface MAC address. An 
attacker who can spoof the IP address and MAC address of the active 
firewall's interface can lead the standby firewall to believe that the 
active firewall is still reachable and prevent the standby firewall from 
taking over.

Workaround:
Configure port security on all switch ports configured to be in the same 
vlans as the active and standby firewalls enabled interfaces. Port 
security must not be enabled on the switch ports connected to the active 
and standby firewalls interfaces.

Port security will prevent an attacker from spoofing the active firewall's 
interface MAC address allowing failover to occur normally.
This configuration should be tested before being enabled in a production 
environment.

For information on configuring port security refer to:
Catalyst 6500 Series Cisco IOS Software Configuration Guide Configuring 
Port Security  
<http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a2c.html>
 Configuring Port Security
Catalyst 6500 Series Software Configuration Guide Configuring Port 
Security
 
<http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008022f27b.html>
 Configuring Port Security
LAN Security Configuration Guides
 
<http://www.cisco.com/en/US/tech/tk389/tk814/tech_configuration_guides_list.html>
 http://www.cisco.com/en/US/tech/tk389/tk814/tech_configuration_guides_list.html

For information about layer 2 attacks and mitigations refer to:

SAFE Layer 2 Security In-depth Version 2:  
<http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml>
 SAFE Layer 2 Security In-depth Version 2


ADDITIONAL INFORMATION

The information has been provided by  <mailto:atora@eplus.com> Amin Tora 
and  <mailto:rivener@cisco.com> Randy Ivener



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.