AUSCERT External Security Bulletin Redistribution

                  ESB-2001.410 -- Cisco Security Advisory
     Cisco PIX Firewall Authentication Denial of Service Vulnerability
                              4 October 2001


        AusCERT Security Bulletin Summary

Product:                Secure PIX Firewall AAA authentication feature
Vendor:                 Cisco Systems
Impact:                 Denial of Service
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------


       Cisco PIX Firewall Authentication Denial of Service Vulnerability
Revision 1.0

  For Public Release 2001 October 03 08:00 (UTC -0800)

   The Cisco Secure PIX Firewall AAA authentication feature, introduced
   in version 4.0, is vulnerable to a Denial of Service (DoS) attack
   initiated by authenticating users on the system.  This vulnerability
   affects specific configurations and has been resolved in released
   versions of the PIX Firewall.
   This vulnerability has been assigned Cisco bug ID CSCdt92339.
   The complete notice will be available at
Affected Products

   All users of Cisco Secure PIX Firewalls with software versions 4.0 up
   to and including 4.4(8), 5.0(3), 5.1(3), 5.2(2), and 5.3(1) with
   configurations using AAA authentication are at risk.
   Affected configurations will have configuration lines that begin:
    pixfirewall#  aaa authentication ...

   Configurations not including aaa authentication are not affected. PIX
   Firewall software versions 6.0(1) and later are not affected.
   The IOS Firewall feature set is not affected by the above defect.
   No other Cisco products are affected by this defect.

   When AAA authentication services are configured on the Cisco Secure
   PIX Firewall, it is possible for a single source address to consume
   all of the authentication resources, preventing other legitimate users
   from authenticating.  This is a denial of service strictly for the
   authentication resources; other established traffic continues
   unaffected, and only new authentication requests are prevented.
   This vulnerability has been resolved in the recent versions of the PIX
   Firewall by creating a maximum limit of three open authentication
   requests per user.
   Cisco Bug ID CSCdv09731 amends this limitation to allow system
   administrators to modify this limit, depending on their network

   This issue causes a PIX Firewall to be vulnerable to a DoS attack in
   which the availability of the unit is degraded. This does not result
   in a loss in confidentiality or in loss of integrity of the traffic
   being filtered.
Software Versions and Fixes

- - ----------------------------------------------------------------------------
Version Affected | Interim Release  | Fixed Regular Release (available now)
                 |                  |
                 | Fix carries      | Fix carries forward into all 
                 | forward into all | later versions
                 | later versions   |
- - ----------------------------------------------------------------------------
                 |                  |
All versions of  |                  | Upgrade to 5.2(6)
Cisco Secure PIX |                  |
up to and        |                  |
including        |                  |
version 4.4(8)   |                  |
                 |                  |
- - ----------------------------------------------------------------------------
                 |                  |
 Version 5.0 and |                  | Upgrade to 5.2(6)
 Version 5.1     |                  | 
                 |                  |
- - ----------------------------------------------------------------------------
                 |                  |
 Version  5.2(2) |    5.2(5.204)    | 5.2.(6)
                 |                  |
- - ----------------------------------------------------------------------------
                 |                  |
 Version 5.3.x   |    5.3(1.203)    | 5.3(2) 
 up to and       |                  |
 including       |                  |
 version 5.3(1)  |                  |
                 |                  |
- - ----------------------------------------------------------------------------
Obtaining Fixed Software

   Cisco is offering free software upgrades to remedy this vulnerability
   for all affected customers. Customers with service contracts may
   upgrade to any software version. Customers without contracts may
   upgrade only within a single row of the table above, except that any
   available fixed software will be provided to any customer who can use
   it and for whom the standard fixed software is not yet available. As
   always, customers may install only the feature sets they have
   Customers with contracts should obtain upgraded software through their
   regular update channels. For most customers, this means that upgrades
   should be obtained via the Software Center on Cisco's Worldwide Web
   site at http://www.cisco.com. Customers whose Cisco products are
   provided or maintained through prior or existing agreement with
   third-party support organizations such as Cisco Partners, authorized
   resellers, or service providers should contact that support
   organization for assistance with the upgrade, which should be free of
   Customers who purchase direct from Cisco but who do not hold a Cisco
   service contract, and customers who purchase through third party
   vendors but are unsuccessful at obtaining fixed software through their
   point of sale, should get their upgrades by contacting the Cisco
   Technical Assistance Center (TAC). TAC contacts are as follows:
     * +1 800 553 2447 (toll-free from within North America)
     * +1 408 526 7209 (toll call from anywhere in the world)
     * e-mail: tac@cisco.com
   See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
   additional TAC contact information, including instructions and e-mail
   addresses for use in various languages.
   Give the URL of this notice as evidence of your entitlement to a
   free upgrade. Free upgrades for non-contract customers must be
   requested through the TAC. Please do not contact either
   "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.

   There is no known workaround for all authentication types.
   If authentication is configured in conjunction with the Virtual HTTP
   feature, a limit of three concurrent authentication attempts per user
   exists, which could prevent this denial of service for HTTP traffic
   only. This would have no effect on authentication attempts for FTP or
   Telnet if the PIX is configured for authentication of those services.
Exploitation and Public Announcements

   This vulnerability has been publicly discussed on the Bugtraq list
   maintained by SecurityFocus at
   Cisco has no evidence or knowledge of exploitation of this
   vulnerability; this was discovered when a program on a customer site
   utilized all authentication resources.
Status of This Notice: FINAL

   This is a final notice. Although Cisco cannot guarantee the accuracy
   of all statements in this notice, all of the facts have been checked
   to the best of our ability. Cisco does not anticipate issuing updated
   versions of this notice unless there is some material change in the
   facts. Should there be a significant change in the facts, Cisco may
   update this notice.

   This notice will be posted on Cisco's Worldwide Web site at
   In addition to Worldwide Web posting, a text version of this
   notice is clear-signed with the Cisco PSIRT PGP key and is posted to
   the following e-mail and Usenet news recipients:
     * cust-security-announce@cisco.com
     * bugtraq@securityfocus.com
     * firewalls@lists.gnac.com
     * first-teams@first.org (includes CERT/CC)
     * cisco@spot.colorado.edu
     * cisco-nsp@puck.nether.net
     * comp.dcom.sys.cisco
     * Various internal Cisco mailing lists
   Future updates of this notice, if any, will be placed on Cisco's
   Worldwide Web server, but may or may not be actively announced on
   mailing lists or newsgroups. Users concerned about this problem are
   encouraged to check the URL given above for any updates.
Revision History

   Revision 1.0 For public release 2001 October 03 08:00 (UTC -0800)
Cisco Security Procedures

   Complete information on reporting security vulnerabilities in Cisco
   products, obtaining assistance with security incidents, and
   registering to receive security information from Cisco, is available
   on Cisco's Worldwide Web site at
   This includes instructions for press inquiries regarding Cisco
   security notices. All Cisco Security Advisories are available at
   This notice is Copyright 2001 by Cisco Systems, Inc. This notice may
   be redistributed freely after the release date given at the top of the
   text, provided that redistributed copies are complete and unmodified,
   and include all date and version information.

Version: PGP 6.5.2


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key