Comments on: Cisco Security Advisory: FWSM Crafted ICMP Message Vulnerability http://www.firstdigest.com/2009/08/cisco-security-advisory-fwsm-crafted-icmp-message-vulnerability/ Cisco | How to do it Sun, 14 Mar 2010 08:38:04 +0000 http://wordpress.org/?v=abc hourly 1 By: Calin http://www.firstdigest.com/2009/08/cisco-security-advisory-fwsm-crafted-icmp-message-vulnerability/comment-page-1/#comment-771 Calin Thu, 03 Sep 2009 06:41:56 +0000 http://www.firstdigest.com/?p=1721#comment-771 <p>Jayson, in the lab test I could not crash a FWSM with all kind of ICMP traffic. In our real environment we have some FWSM modules, but also I didn't noticed any bad behavior due to some strange ICMP traffic. On web, forums, blogs and so on...nobody strongly suggest that they had such a problem.</p> <p>So, I believe that it exist indeed, but the probability to happen is not high for the moment as there is not a known exploit for this vulnerability.</p> Jayson, in the lab test I could not crash a FWSM with all kind of ICMP traffic. In our real environment we have some FWSM modules, but also I didn’t noticed any bad behavior due to some strange ICMP traffic. On web, forums, blogs and so on…nobody strongly suggest that they had such a problem.

So, I believe that it exist indeed, but the probability to happen is not high for the moment as there is not a known exploit for this vulnerability.

]]> By: Jayson http://www.firstdigest.com/2009/08/cisco-security-advisory-fwsm-crafted-icmp-message-vulnerability/comment-page-1/#comment-731 Jayson Fri, 28 Aug 2009 06:51:37 +0000 http://www.firstdigest.com/?p=1721#comment-731 Hi Calin, So is this vulnerability only a lab case from Cisco?  There are no user reports that were affected with this? Thanks! Hi Calin,
So is this vulnerability only a lab case from Cisco?  There are no user reports that were affected with this?
Thanks!

]]> By: Calin http://www.firstdigest.com/2009/08/cisco-security-advisory-fwsm-crafted-icmp-message-vulnerability/comment-page-1/#comment-727 Calin Thu, 27 Aug 2009 13:51:11 +0000 http://www.firstdigest.com/?p=1721#comment-727 <p>Chintan, if we take Cisco's words  "...the following ACL, when deployed on a Cisco IOS device in front of the FWSM..." than you can apply it on the VLAN on C6500. I believe in this case doesn't matter if the device in front is a real separate device, connected with a cooper/fiber/etc cable to the chassis holding the FWSM or through backplane.</p> <p>The important thing is that this crafted ICMP packets not to arrive /travel through FWSM. Anyway for me the description of this vulnerability is a little bit ambiguous due to the fact that we don't know for sure what ICMP packet can make FWSM crash.</p> <p>I tested with a FWSM, with different type of ICMP packets and different patterns, but I could not crash the device...</p> Chintan, if we take Cisco’s words  “…the following ACL, when deployed on a Cisco IOS device in front of the FWSM…” than you can apply it on the VLAN on C6500. I believe in this case doesn’t matter if the device in front is a real separate device, connected with a cooper/fiber/etc cable to the chassis holding the FWSM or through backplane.

The important thing is that this crafted ICMP packets not to arrive /travel through FWSM. Anyway for me the description of this vulnerability is a little bit ambiguous due to the fact that we don’t know for sure what ICMP packet can make FWSM crash.

I tested with a FWSM, with different type of ICMP packets and different patterns, but I could not crash the device…

]]> By: Chintan http://www.firstdigest.com/2009/08/cisco-security-advisory-fwsm-crafted-icmp-message-vulnerability/comment-page-1/#comment-722 Chintan Thu, 27 Aug 2009 11:19:29 +0000 http://www.firstdigest.com/?p=1721#comment-722 If i have 6500 with FWSM installed Can I apply this w/a (ACL) on 6500 itself on logical VLAN interface towards FWSM ? will this protect ? If i have 6500 with FWSM installed Can I apply this w/a (ACL) on 6500 itself on logical VLAN interface towards FWSM ? will this protect ?

]]> By:   Cisco Security Advisory: FWSM Crafted ICMP Message Vulnerability … by Cisco Information Technology http://www.firstdigest.com/2009/08/cisco-security-advisory-fwsm-crafted-icmp-message-vulnerability/comment-page-1/#comment-671   Cisco Security Advisory: FWSM Crafted ICMP Message Vulnerability … by Cisco Information Technology Fri, 21 Aug 2009 15:17:50 +0000 http://www.firstdigest.com/?p=1721#comment-671 [...] View post: Cisco Security Advisory: FWSM Crafted ICMP Message Vulnerability … [...] [...] View post: Cisco Security Advisory: FWSM Crafted ICMP Message Vulnerability … [...]

]]> By: Cisco Security Advisory: FWSM Crafted ICMP Message Vulnerability … | Hack In The Box http://www.firstdigest.com/2009/08/cisco-security-advisory-fwsm-crafted-icmp-message-vulnerability/comment-page-1/#comment-670 Cisco Security Advisory: FWSM Crafted ICMP Message Vulnerability … | Hack In The Box Fri, 21 Aug 2009 14:20:45 +0000 http://www.firstdigest.com/?p=1721#comment-670 [...] Cisco Security Advisory: FWSM Crafted ICMP Message Vulnerability … Share and [...] [...] Cisco Security Advisory: FWSM Crafted ICMP Message Vulnerability … Share and [...]

]]> By: Calin http://www.firstdigest.com/2009/08/cisco-security-advisory-fwsm-crafted-icmp-message-vulnerability/comment-page-1/#comment-669 Calin Fri, 21 Aug 2009 10:39:50 +0000 http://www.firstdigest.com/?p=1721#comment-669 <p>Thanks for the comment. I updated my post to avoid confusions!</p> Thanks for the comment. I updated my post to avoid confusions!

]]> By: João Sena Ribeiro http://www.firstdigest.com/2009/08/cisco-security-advisory-fwsm-crafted-icmp-message-vulnerability/comment-page-1/#comment-668 João Sena Ribeiro Fri, 21 Aug 2009 10:23:28 +0000 http://www.firstdigest.com/?p=1721#comment-668 Those ACLs don't block "regular" pings, only less commonly used ICMP packet types. As you can see, ICMP 'echo', 'echo-reply', 'host-unreachable', etc. are still allowed. Regards. Those ACLs don’t block “regular” pings, only less commonly used ICMP packet types. As you can see, ICMP ‘echo’, ‘echo-reply’, ‘host-unreachable’, etc. are still allowed.
Regards.

]]>