Cisco has released six new security patches including a couple for their firewall products. One (CVE-2011-0393) involves a denial of service condition when the ASA when configured to be in “transparent” mode .
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:
* Transparent Firewall Packet Buffer Exhaustion Vulnerability
* Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
* Routing Information Protocol (RIP) Denial of Service Vulnerability
* Unauthorized File System Access Vulnerability
Transparent mode is like a bridge so you can listen at layer 2 and above instead of layer 3 (in routed mode). This means you can leave alone the addresses on either side of the firewall and filter on non-IP (using EtherType ACLs). Administrators who want to avoid changing IP address on servers, or firewall legacy systems, are likely advocates of transparent mode. It also may make it easier than routed mode to pass multicast or the ol’ non-routable protocols: “(AppleTalk, IPX, BPDUs, and MPLS)”.
The vulnerability stems from buffer exhaustion for a newer protocol. Ah, the irony. While transparent mode is good for silently managing older protocols, apparently it falls over when IPv6 starts to show up.
The number of available packet buffers may decrease when a security appliance receives IPv6 traffic and is not configured for IPv6 operation. Administrators can check packet buffer utilization by issuing the command show blocks and inspecting the output for the number of available 1,550-byte blocks. If the number of blocks is zero (indicated by 0 in the CNT column), then the security appliance may be experiencing this issue. For example:
ciscoasa# show blocks SIZE MAX LOW CNT 0 400 360 400 4 200 199 199 80 400 358 400 256 1412 1381 1412 1550 6274 0 0 ...
So, we all now know a convenient, albeit noisy, way to find an (un-patched) Cisco ASA 5500 hiding in transparent mode.