Hi Claudiu,
The Cisco Technical Assistance Center is working on this case
currently. We do not typically comment on cases that are still actively
being worked. If you feel that progress is not being made on the case,
please alert the case owner, or ask to speak with a manager.
The engineers working this case have been working to reproduce the problem,
engineering is also working on the problem in conjunction with the customer
support engineer. The crash info you have provided has not been helpful
due to another defect, CSCdp66094, which causes the 5.1 series of code to
continuously reload once the defect has been triggered with non-informative
crash info.
The crash does not occur in the later versions of code, and the 5.1 series
of code is not recommended for customers due to the following
announcement.
http://www.cisco.com/warp/customer/cc/pd/fw/sqfw500/prodlit/1303_pp.htm
At this point we are still investigating the possible options for a fix.
Thank you,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
At 12:06 AM 01/04/06, Claudiu Calomfirescu wrote:
>06.04.2001
>Datanet Systems
>Claudiu Calomfirescu
>[EMAIL PROTECTED]
>
>
>PIX Firewall 5.1 DoS Vulnerability
>
>
>Description:
>------------
>An attacker from inside or outside interfaces of a
>PIX Firewall 515 or 520, 5.1.4 version running aaa
>authentication against a TACACS+ Server could
>cause the PIX to crash and reload by overwhelming
>it with authentication requests.
>
>
>Products affected:
>------------------
>Vulnerable Product: PIX Firewall 515, 520
>Vulnerable OS: 5.1.4 - General Deployment
>Release
>Non Vulnerable OS: 5.3.1 - General Deployment
>Release
>
>
>Vendor response:
>----------------
>The vendor (Cisco Systems) was noticed on 14 March
>(TAC case number B215177) and till now they only
>asked about the environment in which was found,
>without really trying to reproduce. They received
>the exploit program, PIX configuration, detailed
>description about whats happened, stack trace from
>the crash, logs.
>
>
>How was found:
>--------------
>1. A user from inside without aaa permission to go
>out, play a game (Jewels) from zapspot.com. - he
>does not know a thing about what is happening in
>the background.
>
>2. At a certain time, the game try to connects to
>the address api.zapspot.com on port 80 from port
>2000.
>
>3. The pix start an authentication process, but
>the game is not a browser and the user dont see a
>thing, after that, the game try to connects to the
>address api.zapspot.com on port 80 from port 2001,
>2002, 2003 and so on very very quickly (hundreds
>per seconds)
>
>4. The pix has too many authentication in progress
>and crash.
>
>
>Discussion:
>------------
>
>To reproduce the problem do the following:
>
>1. Configure the PIX Firewall version 5.1.4 for
>aaa authentication against a TACACS+ server:
>
>aaa-server TACACS+ protocol tacacs+
>aaa-server RADIUS protocol radius
>aaa-server grup protocol tacacs+
>aaa-server grup (inside) host 10.10.10.20 cheia
>timeout 5
>aaa authentication include http outbound 0.0.0.0
>0.0.0.0 0.0.0.0 0.0.0.0 grup
>aaa authorization include http outbound 0.0.0.0
>0.0.0.0 0.0.0.0 0.0.0.0 grup
>aaa accounting include http outbound 0.0.0.0
>0.0.0.0 0.0.0.0 0.0.0.0 grup
>
>2. From an inside host generate http request with
>sweep source port directed to a global address on
>port 80.
>
>In our case we generate a http request from port
>2000, the pix start an authentication process:
>
>109001: Auth start for user '???' from
>10.10.10.1/2000 to 216.46.233.11/80
>
>after that we generate a http request from port
>2001,
>
>109001: Auth start for user '???' from
>10.10.10.1/2001 to 216.46.233.11/80
>
>and so on. After 426 requests (this number is not
>always the same) generated in 3 seconds the PIX
>give the message:
>
>Panic: uauth1 - open: no more channels
>(tcp/UNPROXY/1/0)!
>
>and crashed in:
>
>Thread Name: uauth1 (Old pc 0x80070b4f ebp
>0x810c56dc)
>
>and reloads.
>
>Very simple and nice.
>
>
>
>Version 5.3.1 is more stable, till now I could not
>get it down, I could consume all resources, but it
>didnt crash:
>
>701001: alloc_user() out of Tcp_user objects
>109010: Auth from 10.10.10.1/2440 to
>216.46.233.11/80 failed (too many pending auths)
>on interface inside
>
>We had available only PIX Firewall models 515 and
>520.
>
>
>--------------------------------------------------
>------------
>Claudiu Calomfirescu Datanet
>Systems SRL
>IT Security Consultant Zarii 14,
>sector 5
>mobile: + 40 94 20 33 55 Bucharest,
>Romania
>email: [EMAIL PROTECTED] tel: + 40
>1 22 33 755
>http://www.datanets.ro fax: + 40
>1 22 33 747
>--------------------------------------------------
>------------
