Cisco PIX and CBAC Fragmentation Attack

Both the Cisco PIX Firewall software as the Context-based Access Control (CBAC) feature of Cisco's IOS Firewall Feature Set do not properly check non-initial fragmented IP packets. Although the non-initial fragmented IP packets might belong to session which would normally be blocked, they are forwarded to the destination host. This may lead to a denial of services (DOS) attack due to the exhaustion of resources required to keep track of the fragmented IP packets.

The problem can be fixed by keeping track of the sessions that fragmented IP packets belong to and by blocking non-initial fragmented IP packets for which no initial packet has been seen.

The DOS attack can easily be carried out by publically available tools.


Privacy Statement
Copyright 2010, SecurityFocus