Title: Cisco PIX and CBAC Fragmentation Attack
Severity: MODERATE
Description:
Both the Cisco PIX Firewall software as the Context-based Access Control (CBAC) feature of Cisco's IOS Firewall Feature Set do not properly check non-initial fragmented IP packets. Although the non-initial fragmented IP packets might belong to session which would normally be blocked, they are forwarded to the destination host. This may lead to a denial of services (DOS) attack due to the exhaustion of resources required to keep track of the fragmented IP packets.
The problem can be fixed by keeping track of the sessions that fragmented IP packets belong to and by blocking non-initial fragmented IP packets for which no initial packet has been seen.
The DOS attack can easily be carried out by publically available tools.
Affected Products:
- Cisco IOS 11.2P
- Cisco IOS 11.3T
- Cisco IOS 12.0
- Cisco IOS 12.0T
- Cisco PIX Firewall 4.2.1
References:
- Cisco Systems: Cisco Product Security Incident Response
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
