Summary

• A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The vulnerability may cause the FWSM to stop forwarding traffic and may be triggered while processing multiple, crafted ICMP messages.

  There are no known instances of intentional exploitation of this vulnerability. However, Cisco has observed data streams that appear to trigger this vulnerability unintentionally.

  Cisco has released software updates that address this vulnerability.

  This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090819-fwsm.

Affected Products

• Vulnerable Products

  All non-fixed 2.x, 3.x and 4.x versions of the FWSM software are affected by this vulnerability.

  To determine the version of the FWSM software that is running, issue the show module command-line interface (CLI) command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub-modules are installed in the system.

  The following example shows a system with an FWSM (WS-SVC-FWM-1) installed in slot 4.

      switch#show module
       Mod Ports Card Type                              Model              Serial No.
       --- ----- -------------------------------------- ----------------- -----------
       1   48    SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX    SAxxxxxxxxx
       4    6    Firewall Module                        WS-SVC-FWM-1      SAxxxxxxxxx
       5    2    Supervisor Engine 720 (Active)         WS-SUP720-BASE    SAxxxxxxxxx
       6    2    Supervisor Engine 720 (Hot)            WS-SUP720-BASE    SAxxxxxxxxx

  After locating the correct slot, issue the show module <slot number> command to identify the software version that is running.

      switch#show module 4
       Mod Ports Card Type                              Model              Serial No.
       --- ----- -------------------------------------- ----------------- -----------
       4    6    Firewall Module                        WS-SVC-FWM-1      SAxxxxxxxxx
  
       Mod MAC addresses                     Hw     Fw           Sw           Status
       --- --------------------------------- ------ ------------ ------------ -------
       4   0003.e4xx.xxxx to 0003.e4xx.xxxx  3.0    7.2(1)       3.2(3)       Ok

  The preceding example shows that the FWSM is running software version 3.2(3) as indicated by the column under "Sw".

  Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the show module command; therefore, executing the show module <slot number> command is not necessary.

  If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series Switches to operate as a single logical virtual switch, the show module switch all command can display the software version of all FWSMs that belong to switch 1 and switch 2. The output from this command will be similar to the output from the show module <slot number> but will include module information for the modules in each switch in the VSS.

  Alternatively, version information can be obtained directly from the FWSM through the show version command, as shown in the following example.

  FWSM#show version
  FWSM Firewall Version 3.2(3)

  Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following example.

  FWSM Version: 3.2(3)

  Products Confirmed Not Vulnerable

  Other Cisco products that offer firewall services, including Cisco IOS Software, Cisco ASA 5500 Series Adaptive Security Appliances, and Cisco PIX Security Appliances, are not affected by this vulnerability.

  No other Cisco products are currently known to be affected by this vulnerability.

Details

• The Cisco FWSM is a high-speed, integrated firewall module for Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The FWSM offers firewall services with stateful packet filtering and deep packet inspection.

  A vulnerability exists in the Cisco FWSM Software that may cause the FWSM to stop forwarding traffic between interfaces, or stop processing traffic that is directed at the FWSM (management traffic) after multiple, crafted ICMP messages are processed by the FWSM. Any traffic that transits or is directed towards the FWSM is affected, regardless of whether ICMP inspection (inspect icmp command under Class configuration mode) is enabled.

  The FWSM stops processing traffic because one of the Network Processors (NPs) that is used by the FWSM to handle traffic may use all available execution threads while handling a specific type of crafted ICMP messages. This behavior limits the execution threads that are available to handle additional traffic.

  Administrators may be able to determine if the FWSM has been affected by this vulnerability by issuing the show np 2 stats command. If this command produces output showing various counters and their values, as shown in the example CLI output that follows, the FWSM has not been affected by the vulnerability. If the command returns a single line that reads "ERROR: np_logger_query request for FP Stats failed", the FWSM may have been affected by the vulnerability.

  FWSM#show np 2 stats
  -------------------------------------------------------------------------------
  Fast Path 64 bit Global Statistics Counters (NP-2)
  
  -------------------------------------------------------------------------------
  PKT_MNG: total packets (dot1q) rcvd                : 10565937
  PKT_MNG: total packets (dot1q) sent                : 4969517
  PKT_MNG: total packets (dot1q) dropped             : 65502
  PKT_MNG: TCP packets received                      : 0
  PKT_MNG: UDP packets received                      : 4963509
  PKT_MNG: ICMP packets received                     : 0
  PKT_MNG: ARP packets received                      : 2
  PKT_MNG: other protocol pkts received              : 0
  PKT_MNG: default (no IP/ARP) dropped               : 0
  SESS_MNG: sessions created                         : 18
  SESS_MNG: sessions embryonic to active             : 0
  ...

  An FWSM that stops processing traffic as a result of this vulnerability will need to be reloaded. Administrators can reload the FWSM from the supervisor of the Catalyst 6500 Series Switch or the Cisco 7600 Series Router by issuing the command hw-module module <slot # for FWSM> reset (Cisco IOS Software), or set module power up|down <module #> (Cisco CatOS Software). Note that unless the FWSM software is updated to a non-vulnerable version, or crafted ICMP messages are blocked (see the Workarounds section for details), the FWSM can still be subject to exploitation (intentional or otherwise) after a reload.

  If an FWSM that is configured for failover operation encounters this issue, the active FWSM may not properly fail over to the standby FWSM.

  IPv6 (in particular ICMPv6) cannot trigger this vulnerability.

  This issue is documented in Cisco Bug ID CSCsz97207 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-0638.

Workarounds

• There are no workarounds for this vulnerability. Access control lists (ACLs) that are deployed on the FWSM itself to block through-the-device or to-the-device ICMP messages are not effective to prevent this vulnerability. However, blocking unnecessary ICMP messages on screening devices or on devices in the path to the FWSM will prevent the FWSM from triggering the vulnerability. For example, the following ACL, when deployed on a Cisco IOS device in front of the FWSM, will prevent crafted ICMP messages from reaching the FWSM, and thus protect the FWSM from triggering the vulnerability:

  access-list 101 permit icmp any any echo
  access-list 101 permit icmp any any echo-reply
  access-list 101 permit icmp any any traceroute
  access-list 101 permit icmp any any packet-too-big
  access-list 101 permit icmp any any time-exceeded
  access-list 101 permit icmp any any host-unreachable
  access-list 101 permit icmp any any unreachable
  access-list 101 deny   icmp any any
  access-list 101 permit ip any any

  This sample ACL is allowing certain ICMP messages that are vital for network troubleshooting and for proper operation of the network. It is safe to allow any other ICMP messages for which the Cisco IOS Software access-list command has named ICMP type keywords. ACLs like the one in the preceding example may also be deployed on non-Cisco IOS devices, such as the Cisco PIX and ASA security appliances, although the ACL syntax on non-Cisco IOS devices may not support all the named ICMP type keywords that the Cisco IOS ACL syntax supports. However, on non-Cisco IOS devices, it is safe to permit all ICMP messages for which there are named ICMP type keywords in the ACL syntax.

  As mentioned in the Details section, if the FWSM has stopped processing traffic due to this vulnerability, the FWSM will require a reload. Administrators can reload the FWSM by logging in to the supervisor of the Catalyst 6500 Series Switch or the Cisco 7600 Series router and issuing the hw-module module <slot # for FWSM> reset (Cisco IOS Software), or set module power up|down <module #> (Cisco CatOS Software) commands.

  Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20090819-fwsm.

Fixed Software

• When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

  Each row of the FWSM software table below describes a major FWSM software train and the earliest possible release within that train that contains the fix (the "First Fixed Release") and the anticipated date of availability (if not currently available) in the "First Fixed Release" column. A device running a release that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).

  Major Release	First Fixed Release
  2.x	Vulnerable; migrate to 3.x or 4.x
  3.1	3.1(16)
  3.2	3.2(13)
  4.0	4.0(6)

  Fixed FWSM software can be downloaded from the Software Center on cisco.com by visiting http://www.cisco.com/cisco/web/download/index.html and navigating to "Security" > "Cisco Catalyst 6500 Series Firewall Services Module" > "Firewall Services Module (FWSM) Software".

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory, but Cisco is aware of customers that have encountered this vulnerability during normal network operation.

  This vulnerability was discovered during the handling of customer support cases.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090819-fwsm

Revision History

• Revision 1.0

  2009-August-19

  Initial public release..

  Show Less