ID

VAR-200511-0294


CVE

CVE-2005-3774


TITLE

Cisco PIX fails to verify TCP checksum

Trust: 0.8

sources: CERT/CC: VU#853540

DESCRIPTION

Cisco PIX 6.3 and 7.0 allows remote attackers to cause a denial of service (blocked new connections) via spoofed TCP packets that cause the PIX to create embryonic connections that that would not produce a valid connection with the end system, including (1) SYN packets with invalid checksums, which do not result in a RST; or, from an external interface, (2) one byte of "meaningless data," or (3) a TTL that is one less than needed to reach the internal destination. Versions of Cisco PIX firewalls do not validate the checksum of transiting TCP packets. Attackers may be able to use this problem to create a sustained denial-of-service under certain conditions. Cisco PIX Firewall Is illegal TCP SYN When a packet is processed, the packet and source and destination information for a certain period of time (IP Address and port ) There is a function that rejects packets that match, and there is a vulnerability that prevents communication from a legitimate host if the source information of the wrong packet is spoofed by that of a legitimate host.From a specific source TCP Communication is interrupted for a certain period of time (DoS) It may be in a state. This issue allows attackers to temporarily block network traffic to arbitrarily targeted TCP services. By repeating the attack, a prolonged denial-of-service condition is possible. Cisco PIX is a hardware firewall solution. Remote attackers may use this loophole to cause a denial of service attack on legitimate access sources. So an attacker can send a specially crafted TCP packet with a wrong checksum, setting the source/destination IP and port to a legitimate host. Once the PIX firewall receives such a message, it cannot establish a new TCP session with the credentials specified in the malicious message. The default time is 2 minutes and 2 seconds, and then it will resume normal operation. Gavrilenko has reported a vulnerability in Cisco PIX, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the firewall failing to verify the checksum of a TCP SYN packet before it is allowed through the firewall and a connection state is setup to track the half-open connection. Packets with incorrect checksum values will be silently discarded by the destination host without a RST reply. This causes the connection state to be held up to two minutes before it is cleared. In the meantime, legitimate SYN packets with the same protocol, IP addresses, and ports are discarded by the firewall. Successful exploitation allows an attacker to prevent a host from establishing connections to another host through the firewall. The vulnerability has been reported in PIX 6.3 and PIX/ASA 7.0. SOLUTION: The vendor recommends the following workaround. 1) Issue the commands "clear xlate" or "clear local-host <ip address on the higher security level interface>" to allow the firewall to pass connections again. 2) Modify the default TCP embryonic connection timeout to a lower value. e.g. 10 seconds. 3) Configure TCP Intercept to allow PIX to proxy all TCP connection attempts originated from behind any firewall interface after the first connection. This will have a performance impact. PROVIDED AND/OR DISCOVERED BY: Konstantin V. Gavrilenko, Arhont Ltd ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038971.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038983.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2005-3774 // CERT/CC: VU#853540 // JVNDB: JVNDB-2005-000696 // BID: 15525 // VULHUB: VHN-14982 // PACKETSTORM: 41770

AFFECTED PRODUCTS

vendor:ciscomodel:pixscope:eqversion:7.0

Trust: 1.6

vendor:ciscomodel:pixscope:eqversion:6.3

Trust: 1.6

vendor:ciscomodel:pix/asascope:eqversion:7.0

Trust: 1.1

vendor:ciscomodel:pix firewallscope:eqversion:6.3

Trust: 1.1

vendor:ciscomodel: - scope: - version: -

Trust: 0.8

vendor:ciscomodel:pix/asascope:eqversion:7.0.1.4

Trust: 0.3

vendor:ciscomodel:pix osscope: - version: -

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5350

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5256.3

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:525

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:520

Trust: 0.3

vendor:ciscomodel:pix firewall 515escope: - version: -

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:515

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5060

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5010

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.3.3(133)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.3.2

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.3.1

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.3(5)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.3(3.109)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.3(3.102)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.3(3)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.3(1)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.2.3(110)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.2.3

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.2.2.111

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.2.2

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.2.1

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.2(3.100)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.2(3)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.2(2)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.2(1)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.2

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.1.5(104)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.1.5

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.1.4

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.1.3

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.1(5)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.1(4)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.1(3)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.1(2)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.1(1)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.1

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.0.4

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.0.3

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.0(4.101)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.0(4)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.0(2)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.0(1)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:6.0

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.3(3)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.3(2)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.3(1.200)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.3(1)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.3

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.2(9)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.2(7)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.2(6)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.2(5)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.2(3.210)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.2(2)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.2(1)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.2

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.1.4

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.1(4.206)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.1

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:5.0

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.4(8)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.4(7.202)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.4(4)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.4

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.3

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.2.2

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.2.1

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.2(5)

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.2

Trust: 0.3

vendor:ciscomodel:pix firewall bscope:eqversion:4.1.6

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.1.6

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:4.0

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:3.1

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:3.0

Trust: 0.3

vendor:ciscomodel:pix firewallscope:eqversion:2.7

Trust: 0.3

sources: CERT/CC: VU#853540 // BID: 15525 // JVNDB: JVNDB-2005-000696 // CNNVD: CNNVD-200511-314 // NVD: CVE-2005-3774

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2005-3774
value: MEDIUM

Trust: 1.0

CARNEGIE MELLON: VU#853540
value: 4.59

Trust: 0.8

NVD: CVE-2005-3774
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200511-314
value: MEDIUM

Trust: 0.6

VULHUB: VHN-14982
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2005-3774
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2005-3774
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-14982
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#853540 // VULHUB: VHN-14982 // JVNDB: JVNDB-2005-000696 // CNNVD: CNNVD-200511-314 // NVD: CVE-2005-3774

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-DesignError

Trust: 0.8

sources: JVNDB: JVNDB-2005-000696 // NVD: CVE-2005-3774

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200511-314

TYPE

Design Error

Trust: 0.9

sources: BID: 15525 // CNNVD: CNNVD-200511-314

CONFIGURATIONS

sources: JVNDB: JVNDB-2005-000696

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-14982

PATCH

title:cisco-response-20051122-pixurl:http://www.cisco.com/warp/public/707/cisco-response-20051122-pix.shtml

Trust: 0.8

title:cisco-sr-20060307-pixurl:http://www.cisco.com/warp/public/707/cisco-sr-20060307-pix.shtml

Trust: 0.8

sources: JVNDB: JVNDB-2005-000696

EXTERNAL IDS

db:SECUNIAid:17670

Trust: 3.4

db:CERT/CCid:VU#853540

Trust: 3.3

db:BIDid:15525

Trust: 2.8

db:NVDid:CVE-2005-3774

Trust: 2.5

db:VUPENid:ADV-2005-2546

Trust: 1.7

db:OSVDBid:24140

Trust: 1.7

db:SECTRACKid:1015256

Trust: 1.7

db:JVNDBid:JVNDB-2005-000696

Trust: 0.8

db:CNNVDid:CNNVD-200511-314

Trust: 0.7

db:XFid:25079

Trust: 0.6

db:XFid:25077

Trust: 0.6

db:CISCOid:20051128 RESPONSE TO CISCO PIX TCP CONNECTION PREVENTION

Trust: 0.6

db:FULLDISCid:20051122 CISCO PIX TCP CONNECTION PREVENTION

Trust: 0.6

db:BUGTRAQid:20051122 CISCO PIX TCP CONNECTION PREVENTION

Trust: 0.6

db:BUGTRAQid:20060307 RE: CISCO PIX EMBRYONIC STATE MACHINE 1B DATA DOS

Trust: 0.6

db:BUGTRAQid:20060307 CISCO PIX EMBRYONIC STATE MACHINE 1B DATA DOS

Trust: 0.6

db:BUGTRAQid:20060307 CISCO PIX EMBRYONIC STATE MACHINE TTL(N-1) DOS

Trust: 0.6

db:EXPLOIT-DBid:26548

Trust: 0.1

db:EXPLOIT-DBid:1338

Trust: 0.1

db:SEEBUGid:SSVID-80179

Trust: 0.1

db:VULHUBid:VHN-14982

Trust: 0.1

db:PACKETSTORMid:41770

Trust: 0.1

sources: CERT/CC: VU#853540 // VULHUB: VHN-14982 // BID: 15525 // JVNDB: JVNDB-2005-000696 // PACKETSTORM: 41770 // CNNVD: CNNVD-200511-314 // NVD: CVE-2005-3774

REFERENCES

url:http://lists.grok.org.uk/pipermail/full-disclosure/2005-november/038983.html

Trust: 2.9

url:http://www.cisco.com/warp/public/707/cisco-response-20051122-pix.shtml

Trust: 2.5

url:http://www.securityfocus.com/bid/15525

Trust: 2.5

url:http://www.kb.cert.org/vuls/id/853540

Trust: 2.5

url:http://lists.grok.org.uk/pipermail/full-disclosure/2005-november/038971.html

Trust: 2.1

url:http://secunia.com/advisories/17670/

Trust: 1.7

url:http://www.cisco.com/en/us/products/hw/vpndevc/ps2030/products_security_notice09186a0080624a37.html

Trust: 1.7

url:http://www.osvdb.org/24140

Trust: 1.7

url:http://securitytracker.com/id?1015256

Trust: 1.7

url:http://secunia.com/advisories/17670

Trust: 1.7

url:http://www.frsirt.com/english/advisories/2005/2546

Trust: 1.4

url:http://www.securityfocus.com/archive/1/417458/30/0/threaded

Trust: 1.1

url:http://www.securityfocus.com/archive/1/426989/100/0/threaded

Trust: 1.1

url:http://www.securityfocus.com/archive/1/426991/100/0/threaded

Trust: 1.1

url:http://www.securityfocus.com/archive/1/427041/100/0/threaded

Trust: 1.1

url:http://www.vupen.com/english/advisories/2005/2546

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/25077

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/25079

Trust: 1.1

url:http://www.cisco.com/en/us/products/sw/secursw/ps2120/products_security_notice09186a008059a411.html

Trust: 0.8

url:http://www.ciac.org/ciac/bulletins/q-062.shtml

Trust: 0.8

url:http://lists.grok.org.uk/pipermail/full-disclosure/2005-november/038971.html

Trust: 0.8

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2005-3774

Trust: 0.8

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2005-3774

Trust: 0.8

url:http://xforce.iss.net/xforce/xfdb/25079

Trust: 0.6

url:http://xforce.iss.net/xforce/xfdb/25077

Trust: 0.6

url:http://www.securityfocus.com/archive/1/archive/1/427041/100/0/threaded

Trust: 0.6

url:http://www.securityfocus.com/archive/1/archive/1/426991/100/0/threaded

Trust: 0.6

url:http://www.securityfocus.com/archive/1/archive/1/426989/100/0/threaded

Trust: 0.6

url:http://www.securityfocus.com/archive/1/archive/1/417458/30/0/threaded

Trust: 0.6

url:http://seclists.org/lists/fulldisclosure/2006/mar/0146.html

Trust: 0.3

url:/archive/1/426991

Trust: 0.3

url:http://secunia.com/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/product/6102/

Trust: 0.1

url:http://secunia.com/product/56/

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/about_secunia_advisories/

Trust: 0.1

sources: CERT/CC: VU#853540 // VULHUB: VHN-14982 // BID: 15525 // JVNDB: JVNDB-2005-000696 // PACKETSTORM: 41770 // CNNVD: CNNVD-200511-314 // NVD: CVE-2005-3774

CREDITS

Randy Ivener rivener@cisco.com Konstantin V. Gavrilenko mlists@arhont.com

Trust: 0.6

sources: CNNVD: CNNVD-200511-314

SOURCES

db:CERT/CCid:VU#853540
db:VULHUBid:VHN-14982
db:BIDid:15525
db:JVNDBid:JVNDB-2005-000696
db:PACKETSTORMid:41770
db:CNNVDid:CNNVD-200511-314
db:NVDid:CVE-2005-3774

LAST UPDATE DATE

2024-08-14T13:50:57.568000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#853540date:2005-12-01T00:00:00
db:VULHUBid:VHN-14982date:2018-10-19T00:00:00
db:BIDid:15525date:2006-03-10T01:15:00
db:JVNDBid:JVNDB-2005-000696date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200511-314date:2007-09-05T00:00:00
db:NVDid:CVE-2005-3774date:2018-10-19T15:39:04.887

SOURCES RELEASE DATE

db:CERT/CCid:VU#853540date:2005-11-23T00:00:00
db:VULHUBid:VHN-14982date:2005-11-23T00:00:00
db:BIDid:15525date:2005-11-22T00:00:00
db:JVNDBid:JVNDB-2005-000696date:2007-04-01T00:00:00
db:PACKETSTORMid:41770date:2005-11-30T04:03:08
db:CNNVDid:CNNVD-200511-314date:2005-11-22T00:00:00
db:NVDid:CVE-2005-3774date:2005-11-23T00:03:00