Thursday, 21 April 2011

TCP split handshake , vulnerability in most of the firewalls

TCP split handshake , vulnerability in most of the firewalls




On April 12 NSS Labs reported the potential vulnerabilities in Next-Generation Firewalls (NGFW).
TCP Split Handshake is an attack that would fool the firewall into thinking the IP connection is a trusted one (inside the network).




Report published on 12th of April mentioned all the major firewalls Cisco, Fortinet, Juniper, Palo Alto Networks and SonicWall has failed, Check Point was the only one that passed.

Cisco Adaptive Security Appliance (ASA) was one of the products mentioned as vulnerable to these attacks.however Cisco says that Cisco customers are not exposed to this issue .

Cisco reply to this is as under:




As part of our standard investigation process, we filed bugs to document and investigate the issues, not only for the ASA, but other potentially affected products such as the Cisco IOS Firewall feature (IOS-FW) and the Cisco Intrusion Prevention System (IPS).




Once we set to work trying to reproduce the issue on the ASA, we began freely exchanging our lab configuration and testing results with NSS and asking for any additional guidance they could provide. To date, Cisco has tested using numerous configuration, software and platform combinations, and all of the aforementioned products have blocked the TCP split handshake negotiation correctly. NSS no longer had access to an ASA, so they have been unable to reproduce the suspected behavior or provide any detailed information to aid the investigation.



Fast-forward to April, and we’re still unable to reproduce the TCP split handshake issue. Last week we sent NSS Labs a Cisco ASA in the hopes that they can gather some evidence of their claims and we are awaiting their test results. The Cisco PSIRT has made the bugs that were filed for investigation public, and based on the lack of evidence has closed them effective today. The Cisco PSIRT will continue to work with NSS and re-open the bugs should an issue be discovered.



Source (Russ Smoak April 14, 2011)

1 comment: