ID

VAR-200605-0002

CVE

CVE-2006-0515

TITLE

Cisco PIX Firewall In URL Vulnerability bypassed by filtering

DESCRIPTION

Cisco PIX/ASA 7.1.x before 7.1(2) and 7.0.x before 7.0(5), PIX 6.3.x before 6.3.5(112), and FWSM 2.3.x before 2.3(4) and 3.x before 3.1(7), when used with Websense/N2H2, allows remote attackers to bypass HTTP access restrictions by splitting the GET method of an HTTP request into multiple packets, which prevents the request from being sent to Websense for inspection, aka bugs CSCsc67612, CSCsc68472, and CSCsd81734. Multiple Cisco products are susceptible to a content-filtering bypass vulnerability. This issue is due to a failure of the software to properly recognize HTTP request traffic. This issue allows users to bypass content-filtering and access forbidden websites. Cisco is tracking this issue as Bug IDs CSCsc67612, CSCsc68472, and CSCsd81734.http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd81734. Cisco PIX is a very popular network firewall, and FWSM is a firewall service module on Cisco equipment. Attackers can use this loophole to bypass Websense content inspection and filtering. Gal has reported a vulnerability in Cisco PIX/ASA/FWSM, which can be exploited by malicious people to bypass certain security restrictions. Successful exploitation requires that PIX, ASA, or FWSM are configured to use Websense/N2H2 for content filtering. * Cisco PIX/ASA software version 7.x. * Cisco FWSM software version 2.3 and 3.1. SOLUTION: Update to the fixed versions. FWSM version 2.3: Update to version 2.3(4). http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-fwsm?psrtdcat20e2 FWSM version 3.1: Update to version 3.1(1.7). Contact Cisco TAC or Cisco support partner for the updates. PIX version 6.3.x: Update to version 6.3.5(112). Contact Cisco TAC or Cisco support partner for the updates. PIX/ASA version 7.x: Update to version 7.0(5) or 7.1(2). http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2 http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: George D. Gal ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060508-pix.shtml Virtual Security Research, LLC: http://www.vsecurity.com/bulletins/advisories/2006/cisco-websense-bypass.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: WebSense content filter bypass when deployed in conjunction with Cisco filtering devices Release Date: 2006-05-08 Application: Websense in Conjunction with Cisco PIX Version: Websense 5.5.2 Cisco PIX OS / ASA < 7.0.4.12 Cisco PIX OS < 6.3.5(112) FWSM 2.3.x FWSM 3.x (other versions untested) Severity: Low Author: George D. Gal <ggal_at_vsecurity.com> Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2006-0515 Reference: http://www.vsecurity.com/bulletins/advisories/2006/cisco-websense-bypass.txt - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description: >>From the WebSense website[1]: "Websense Enterprise, the industry-leading web filtering solution, improves employee productivity, reduces legal liability, and optimizes the use of IT resources. Websense Enterprise integrates seamlessly with leading network infrastructure products to offer unequaled flexibility and control." Vulnerability Overview: On August 9th, 2005 VSR has identified the ability to bypass the Websense URL filtering capabilities when used in conjunction with the Cisco PIX for web content filtering. Shortly thereafter another security researcher [sledge.hammer(a+t)sinhack.net] had published[2] a proof-of-concept for evading the URL filtering performed by Websense claiming that Websense has failed to address the issue. However, the vulnerability has been verified by Cisco as a problem which relies within its handling of filtered requests. However, when splitting the HTTP request into two or more packets on the HTTP method it is possible to circumvent the filtering mechanism. Additionally, requests using this fragmented approach do not appear to be logged within Websense indicating that the request is never sent to Websense for policy inspection. The simplest form required to exploit this vulnerability is to fragment the first character of the HTTP request, followed by a single TCP packet for subsequent data (e.g. setting the PSH flag on the individual packets). Virtual Security Research has created a utility[3] to demonstrate the ability to bypass Websense filtering for the affected versions of Cisco filtering devices enumerated in this advisory header. You may download and run this utility at your own risk from: http://www.vsecurity.com/tools/WebsenseBypassProxy.java The following Snort output demonstrates the fragmented request capable of bypassing Websense: - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 11/04-10:06:36.260991 0:B:DB:DE:19:87 -> 0:0:C:7:AC:5 type:0x800 len:0x43 10.254.5.113:58034 -> 82.165.25.125:80 TCP TTL:64 TOS:0x0 ID:1534 IpLen:20 DgmLen:53 DF ***AP*** Seq: 0xF5B80F51 Ack: 0x21D6E47 Win: 0x8040 TcpLen: 32 TCP Options (3) => NOP NOP TS: 148674 160066961 47 G =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/04-10:06:36.359288 0:30:7B:93:19:4C -> 0:B:DB:DE:19:87 type:0x800 len:0x42 82.165.25.125:80 -> 10.254.5.113:58034 TCP TTL:49 TOS:0x0 ID:36972 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x21D6E47 Ack: 0xF5B80F52 Win: 0x16A0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 160066973 148674 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/04-10:06:36.359387 0:B:DB:DE:19:87 -> 0:0:C:7:AC:5 type:0x800 len:0x185 10.254.5.113:58034 -> 82.165.25.125:80 TCP TTL:64 TOS:0x0 ID:1535 IpLen:20 DgmLen:375 DF ***AP*** Seq: 0xF5B80F52 Ack: 0x21D6E47 Win: 0x8040 TcpLen: 32 TCP Options (3) => NOP NOP TS: 148683 160066973 45 54 20 2F 66 61 76 69 63 6F 6E 2E 69 63 6F 20 ET /favicon.ico 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 HTTP/1.1..Host: 77 77 77 2E 70 68 72 61 63 6B 2E 6F 72 67 0D 0A www.phrack.org.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi 6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B 20 55 3B lla/5.0 (X11; U; 20 46 72 65 65 42 53 44 20 69 33 38 36 3B 20 65 FreeBSD i386; e 6E 2D 55 53 3B 20 72 76 3A 31 2E 37 2E 39 29 20 n-US; rv:1.7.9) 47 65 63 6B 6F 2F 32 30 30 35 30 37 31 38 20 46 Gecko/20050718 F 69 72 65 66 6F 78 2F 31 2E 30 2E 35 0D 0A 41 63 irefox/1.0.5..Ac 63 65 70 74 3A 20 69 6D 61 67 65 2F 70 6E 67 2C cept: image/png, 2A 2F 2A 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 */*;q=0.5..Accep 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 t-Language: en-u 73 2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 s,en;q=0.5..Acce 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 pt-Encoding: gzi 70 2C 64 65 66 6C 61 74 65 0D 0A 41 63 63 65 70 p,deflate..Accep 74 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 t-Charset: ISO-8 38 35 39 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 859-1,utf-8;q=0. 37 2C 2A 3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 7,*;q=0.7..Keep- 41 6C 69 76 65 3A 20 63 6C 6F 73 65 0D 0A 43 6F Alive: close..Co 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D nnection: close. 0A 0D 0A ... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/04-10:06:36.458004 0:30:7B:93:19:4C -> 0:B:DB:DE:19:87 type:0x800 len:0x42 82.165.25.125:80 -> 10.254.5.113:58034 TCP TTL:49 TOS:0x0 ID:55157 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x21D6E47 Ack: 0xF5B81095 Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 160066982 148683 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Vendor Response: WebSense and Cisco were first notified on 2005-11-04. While no responses or acknowledgments were received from Websense the following time line outlines the responses from Cisco regarding this issue: 2005-11-04 - Acknowledgment of security notification 2005-12-02 - Subsequent follow-up and response from Cisco to determine cause of observed behavior 2006-01-04 - Subsequent follow-up and response from Cisco acknowledging issue is being addressed by development teams 2006-01-30 - Estimated release of PIX code for 7.0.4 release is 2/20/2006 2006-02-17 - Notified by Cisco that fix will not make estimated delivery date due to regression issues, new release data of 3/20/2006 provided 2006-03-06 - Status update from vendor on new date, targets on track for 7.0 PIX OS release 2006-03-13 - Confirmation from Cisco on 3/20 code release 2006-03-17 - Communications from Cisco notifying VSR of other potential products affected (FWSM). 2006-03-24 - Communications received from Cisco acknowledging communication with FWSM team 2006-04-04 - Communication received from Cisco acknowledging FWSM vulnerability 2006-04-07 - Communications from Cisco confirming fixes for FWSM 2.3.x and 3.x PSIRT awaiting release date for code 2006-04-14 - Communications from Cisco providing coordination details with FWSM team 2006-04-18 - Communications from Cisco providing build details incorporating fixes for FWSM products 2006-04-26 - Communications from Cisco providing details and update on FWSM testing and release availability; coordination for advisory release 2006-05-04 - Communications from Cisco for advisory release coordination Recommendation: Cisco PIX/ASA and FWSM customers should apply the latest upgrades from vendor: PIX OS 7.0.x upgrade is: 7.0.4.12 available at: http://www.cisco.com/cgi-bin/tablebuild.pl/pix-interim http://www.cisco.com/cgi-bin/tablebuild.pl/asa-interim PIX OS 6.3 upgrade is: 6.3.5(112) available by customer request via the Cisco TAC FWSM 2.3.x upgrade is: 2.3(4) available at: http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm FWSM 3.x upgrade is: 3.1(1.7) available by customer request via the Cisco TAC - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-0515 - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. WebSense Enterprise http://www.websense.com/global/en/ProductsServices/WebsenseEnterprise/ 2. Sinhack.net URL Filtering Evasion http://sinhack.net/URLFilteringEvasion/ 3. Proof-of-Concept WebSense Bypass utility http://www.vsecurity.com/tools/WebsenseBypassProxy.java - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Vulnerability Disclosure Policy: http://www.vsecurity.com/disclosurepolicy.html - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright 2006 Virtual Security Research, LLC. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEX2nxTY6Rj3GeBOoRAucJAKCM5Bvtn/hyuDSC/87eLEIPDLZmSgCffMYc zVXMT1rLZxcJ0PDF4qWjlDQ= =LrNn -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Design Error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

George D. Gal ggal@vsecurity.com

SOURCES

LAST UPDATE DATE

2024-08-14T15:20:06.853000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE