Tag: FWSM
Vulnerability in Cisco PIX and ASA Appliances
by admin on May.04, 2007, under Networking, Security
Cisco confirms the memory exhaustion vulnerability as per the advisory published by CERT/CC and confirms this vulnerability impacts the PIX and ASA appliance for system software 7.2 only. Exploitation of the vulnerability may lead to a Denial of Service condition against the appliance.
The Firewall Services Module (FWSM) is not affected by this vulnerability.
PSIRT would like to thank Grant Deffenbaugh and Lisa Sittler from the CERT/CC for reporting this vulnerability to Cisco.
We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in security vulnerability reports against Cisco products.
Cisco Firewall - Land Attack
by admin on May.03, 2007, under Firewalls, Networking, Security
I have been seeing some “Critical Syslog Events” coming through lately from my Cisco FWSM (Firewall Switch Module). The event number is FWSM-2-106017 or if you have a PIX it would be PIX-2-106017.
When you go to Cisco’s site for the explanation this is what they give you:
Error Message %FWSM-2-106017: Deny IP due to Land Attack from IP_addr to IP_addr
Explanation This message indicates that the module received a packet with the IP source address equal to the IP destination and the destination port equal to the source port. This indicates a spoofed packet that is designed to attack systems. This attack is referred to as a land attack. If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.
Recommended Action None.
This is fine and dandy but doesn’t help me track down what the problem is. I don’t believe this is truly a lan attack since it only seems to happen when the Sysadmins are working on this box. The IP it is coming from is a web server and this web server has an internal IP and a natted external IP. When changes are made you want to test the website. So you go the website on the server it resolves to the natted IP which goes out through the firewall hits the router then is converted back to the internal IP and sent back through the firewall. This is where the Land attack comes in because the traffic is coming from the same IP it is going to and on different interfaces on the firewall.
I haven’t seen a fix for this, you could probably disable this rule in the firewall or just make sure you got to the internal IP instead of the natted IP when testing from the web server itself.
