PIX VPN Issues 1

[INT1973]

We have a Cisco PIX 515E connecting to Internet and setup 4 VPN site to site tunnels. We found some strange problem recently with one of the Unix machine that kept crashing and we finally narrowed the problem down to the PIX VPN. Every time we turn more than one VPN tunnel,this Unix Equipment crashes. The Unix box is in Location B and talks to a Billing Server on location A via a Point to point T-1. Communication between the UNIX box and billing server is fine as long as the VPN's are turned off. It stays fine with one VPN tunnel on and crashes as soon as we enable second VPN.
In location A we have Cisco PIX , Billing Server, Router (connecting to diffrent remote sites). All these are connected using a Intel Hub. We are replacing these hubs with Cisco Switch today. We did not find any problem with the PIX yet. No changes were done to the network. All this worked before. We used a Protocol analyzer and everything seems fine. No viruses or Trojans. Only change we did was in January by updating the PIX IOS 6.1 to 6.3(3). I know there is a bug in IOS 6.3(3) some TCP flaws.


Any ideas are greatly appreciated.

Thanks

 

[mbilgrav]

Hi,

Strange indeed.
I think this could be related to the UNIX-OS, as I am sure other win32 servers/PC's do not crash, when the VPNs are up.
I know that from earlier days, when SYN attacks were at peak, especially UNIX hosts tended to crash, cause they didnt handled embrionic connections well.
Could this be your problem ?
Try test with a SYN-DOS tool... comes to mind 8)
Could be that maybe when VPN is up there is two paths to the server, and hence SYN packets are sent (path-1), but SYN-ACK replied the otherway (path-2), hence TCP connections drops (RST) and new SYN are sent.
After a short while your old buggy Unix-stack crashs ...

HTH

 

[INT1973]

I kinda suspected that. I called Cisco Development Team to escalate this issue and they finally gave me a PIX IOS Version 6.3.3(132). I updated the IOS and will know tomorrow when I turn these VPN's on. They think there may be smurf attack and this IOS might fix it.

Thanks for your input. If it worked , I will post the solution on this site so that other people are aware of this.

Thanks

 

[mbilgrav]

I would still sugguest you update the OS aswell - Even a fixed/updated PIX-OS - you'd still be vulnable to these attack, even mishaps in applications can cause the server to crash.

I havent seen build132 yet - what is that supposed to fix ?
Latest I saw was 124 providing OpenSSH fixes... again 8)

 

[INT1973]

Where can I download the SYN-DOS tool ?

Thanks
INT

 

[INT1973]

Here is the Link for that IOS

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCed91445

 

[INT1973]

Headline TCP checks should verify RST seq number for conns through the PIX.
Product pix Model
Component fw Duplicate of
Severity 2 Severity help Status Resolved Status help
First Found-in Version 6.3(3) First Fixed-in Version 6.3(3.132), 6.1(5.103), 6.2(3.109) Version help
Release Notes

A vulnerability in the Transmission Control Protocol (TCP) specification
(RFC793) has been discovered by an external researcher. The successful
exploitation enables an adversary to reset any established TCP connection in a
much shorter time than was previously discussed publicly. Depending on the
application, the connection may get automatically re-established. In other
cases, a user will have to repeat the action (for example, open a new Telnet or
SSH session). Depending upon the attacked protocol, a successful attack may
have additional consequences beyond terminated connection which must be
considered. This attack vector is only applicable to the sessions which are
terminating on a device (such as a router, switch, or computer) and not to the
sessions that are only passing through the device (for example, transit traffic
that is being routed by a router). In addition, this attack vector does not
directly compromise data integrity or confidentiality.

All Cisco products which contain TCP stack are susceptible to this vulnerability.

This advisory is available at

http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml,

and it
describes this vulnerability as it applies to Cisco products that run Cisco
IOS® software.

A companion advisory that describes this vulnerability for products that do not
run Cisco IOS software is available at

http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.

 

[mbilgrav]

thank you !
Then infact I did see it, but didnt noticed it...:

"This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router)"


So this will not fix your issues... or ?

Come to mind, is all the TCP-stack vuln. around these days, fx on BGP etc, also several P2P programs can do this, so I have read.

 

[mbilgrav]

INT1973 (TechnicalUser) Apr 26, 2004
Where can I download the SYN-DOS tool ?


dunno - maybe knoppix std edition ?
Or any wellknown unix guru can craft a packet for you

http://www.securityfocus.com/infocus/1729

http://www.securiteam.com/tools/5QR0B000AU.html

 

[mbilgrav]

http://packetstorm.widexs.nl/DoS/

did come out, when digging in the old lab...
mind that many of these "tool" are halted by antivirus...

 

[chicocouk]

Just a small aside, PIX do not run IOS. The operating system on a pix is called Finesse, and is sometimes referred to as PIX o/s, or more correctly FOS.

This is an interesting problem, by the by ... too tired to think of anything useful at the moment though

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP