A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The vulnerability may cause the FWSM to stop forwarding traffic and may be triggered while processing multiple, crafted ICMP messages. There are no known instances of intentional exploitation of this vulnerability. However, Cisco has observed data streams that appear to trigger this vulnerability unintentionally. Cisco has released software updates that address this vulnerability. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090819-fwsm.
A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The vulnerability may cause the FWSM to stop forwarding traffic and may be triggered while processing multiple, crafted ICMP messages.
There are no known instances of intentional exploitation of this vulnerability. However, Cisco has observed data streams that appear to trigger this vulnerability unintentionally.
Cisco has released software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090819-fwsm.
All non-fixed 2.x, 3.x and 4.x versions of the FWSM software are affected by this vulnerability.
To determine the version of the FWSM software that is running, issue the show module command-line interface (CLI) command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub-modules are installed in the system.
The following example shows a system with an FWSM (WS-SVC-FWM-1) installed in slot 4.
Vulmon
switch#show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ----------------- -----------
1 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX SAxxxxxxxxx
4 6 Firewall Module WS-SVC-FWM-1 SAxxxxxxxxx
5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE SAxxxxxxxxx
6 2 Supervisor Engine 720 (Hot) WS-SUP720-BASE SAxxxxxxxxx
After locating the correct slot, issue the show module
switch#show module 4
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ----------------- -----------
4 6 Firewall Module WS-SVC-FWM-1 SAxxxxxxxxx
Mod MAC addresses Hw Fw Sw Status
--- --------------------------------- ------ ------------ ------------ -------
4 0003.e4xx.xxxx to 0003.e4xx.xxxx 3.0 7.2(1) 3.2(3) Ok
The preceding example shows that the FWSM is running software version 3.2(3) as indicated by the column under "Sw".
Note: Recent versions of Cisco IOS Software will show the software
version of each module in the output from the show
module command; therefore, executing the show module
If a Virtual Switching System (VSS) is used to allow two physical Cisco
Catalyst 6500 Series Switches to operate as a single logical virtual switch,
the show module switch all command can display the
software version of all FWSMs that belong to switch 1 and switch 2. The output
from this command will be similar to the output from the show
module
Alternatively, version information can be obtained directly from the FWSM through the show version command, as shown in the following example.
FWSM#show version FWSM Firewall Version 3.2(3)
Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following example.
FWSM Version: 3.2(3)
Other Cisco products that offer firewall services, including Cisco IOS Software, Cisco ASA 5500 Series Adaptive Security Appliances, and Cisco PIX Security Appliances, are not affected by this vulnerability.
No other Cisco products are currently known to be affected by this vulnerability.
The Cisco FWSM is a high-speed, integrated firewall module for Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The FWSM offers firewall services with stateful packet filtering and deep packet inspection.
A vulnerability exists in the Cisco FWSM Software that may cause the FWSM to stop forwarding traffic between interfaces, or stop processing traffic that is directed at the FWSM (management traffic) after multiple, crafted ICMP messages are processed by the FWSM. Any traffic that transits or is directed towards the FWSM is affected, regardless of whether ICMP inspection (inspect icmp command under Class configuration mode) is enabled.
The FWSM stops processing traffic because one of the Network Processors (NPs) that is used by the FWSM to handle traffic may use all available execution threads while handling a specific type of crafted ICMP messages. This behavior limits the execution threads that are available to handle additional traffic.
Administrators may be able to determine if the FWSM has been affected by this vulnerability by issuing the show np 2 stats command. If this command produces output showing various counters and their values, as shown in the example CLI output that follows, the FWSM has not been affected by the vulnerability. If the command returns a single line that reads "ERROR: np_logger_query request for FP Stats failed", the FWSM may have been affected by the vulnerability.
FWSM#show np 2 stats ------------------------------------------------------------------------------- Fast Path 64 bit Global Statistics Counters (NP-2) ------------------------------------------------------------------------------- PKT_MNG: total packets (dot1q) rcvd : 10565937 PKT_MNG: total packets (dot1q) sent : 4969517 PKT_MNG: total packets (dot1q) dropped : 65502 PKT_MNG: TCP packets received : 0 PKT_MNG: UDP packets received : 4963509 PKT_MNG: ICMP packets received : 0 PKT_MNG: ARP packets received : 2 PKT_MNG: other protocol pkts received : 0 PKT_MNG: default (no IP/ARP) dropped : 0 SESS_MNG: sessions created : 18 SESS_MNG: sessions embryonic to active : 0 ...
An FWSM that stops processing traffic as a result of this vulnerability
will need to be reloaded. Administrators can reload the FWSM from the
supervisor of the Catalyst 6500 Series Switch or the Cisco 7600 Series Router
by issuing the command hw-module module
If an FWSM that is configured for failover operation encounters this issue, the active FWSM may not properly fail over to the standby FWSM.
IPv6 (in particular ICMPv6) cannot trigger this vulnerability.
This issue is documented in Cisco Bug ID CSCsz97207 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-0638.
There are no workarounds for this vulnerability. Access control lists (ACLs) that are deployed on the FWSM itself to block through-the-device or to-the-device ICMP messages are not effective to prevent this vulnerability. However, blocking unnecessary ICMP messages on screening devices or on devices in the path to the FWSM will prevent the FWSM from triggering the vulnerability. For example, the following ACL, when deployed on a Cisco IOS device in front of the FWSM, will prevent crafted ICMP messages from reaching the FWSM, and thus protect the FWSM from triggering the vulnerability:
access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any traceroute access-list 101 permit icmp any any packet-too-big access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any host-unreachable access-list 101 permit icmp any any unreachable access-list 101 deny icmp any any access-list 101 permit ip any any
This sample ACL is allowing certain ICMP messages that are vital for network troubleshooting and for proper operation of the network. It is safe to allow any other ICMP messages for which the Cisco IOS Software access-list command has named ICMP type keywords. ACLs like the one in the preceding example may also be deployed on non-Cisco IOS devices, such as the Cisco PIX and ASA security appliances, although the ACL syntax on non-Cisco IOS devices may not support all the named ICMP type keywords that the Cisco IOS ACL syntax supports. However, on non-Cisco IOS devices, it is safe to permit all ICMP messages for which there are named ICMP type keywords in the ACL syntax.
As mentioned in the Details section, if the FWSM has stopped processing
traffic due to this vulnerability, the FWSM will require a reload.
Administrators can reload the FWSM by logging in to the supervisor of the
Catalyst 6500 Series Switch or the Cisco 7600 Series router and issuing the
hw-module module
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20090819-fwsm.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Each row of the FWSM software table below describes a major FWSM software train and the earliest possible release within that train that contains the fix (the "First Fixed Release") and the anticipated date of availability (if not currently available) in the "First Fixed Release" column. A device running a release that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).
|
Major Release |
First Fixed Release |
|---|---|
|
2.x |
Vulnerable; migrate to 3.x or 4.x |
|
3.1 |
3.1(16) |
|
3.2 |
3.2(13) |
|
4.0 |
4.0(6) |
Fixed FWSM software can be downloaded from the Software Center on cisco.com by visiting http://www.cisco.com/cisco/web/download/index.html and navigating to "Security" > "Cisco Catalyst 6500 Series Firewall Services Module" > "Firewall Services Module (FWSM) Software".
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory, but Cisco is aware of customers that have encountered this vulnerability during normal network operation.
This vulnerability was discovered during the handling of customer support cases.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
|
Revision 1.0 |
2009-August-19 |
Initial public release.. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.