Cisco equipment does not block some IP fragmentation attacks
| cisco-fragmented-attacks (1584) |  Medium Risk |
Description:
Cisco PIX Firewalls and CBAC-enabled IOS could allow an attacker to bypass security. Neither of these products are capable of stopping certain types of attacks based on fragmented IP packets. An attacker could exploit this vulnerability to launch a denial of service attack on a computer behind routers and firewalls.
Platforms Affected:
- Cisco, IOS 11.2P
- Cisco, IOS 11.3T
- Cisco, IOS 12.0
- Cisco, IOS 12.0T
- Cisco, PIX Firewall 4.2(1)
Remedy:
Upgrade to the latest version of PIX Firewall (4.2(2) or later), as listed in Cisco Systems Field Notice, September 11, 1998. See References.
— AND —
Affected IOS users should upgrade to the latest version of software available for your equipment. If this isn't possible, users should refer to the Cisco Field Notice for detailed workaround information.
Consequences:
Bypass Security
References:
- Cisco Systems Field Notice, Friday, September 11, 1998, Cisco PIX and CBAC Fragmentation Attack at http://www.cisco.com/warp/public/770/nifrag.shtml.
- BID-690: Cisco PIX and CBAC Fragmentation Attack
- CVE-1999-0157: Cisco PIX firewall and CBAC IP fragmentation attack results in a denial of service.
- CVE-1999-0588: A filter in a router or firewall allows unusual fragmented packets.
- OSVDB ID: 1097: Cisco PIX and IOS Fragmentation Attack DoS
Reported:
Aug 19, 1998
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net