pix firewall 501 wit http get vulnerability

Unanswered Question
Oct 21st, 2008
User Badges:

Is it possible to load 6.5.(112)

on a pix 501? or is there a workaround on how to fix this:

Description:

George D. Gal has reported a vulnerability in Cisco PIX/ASA/FWSM, which can be exploited by malicious people to bypass certain security restrictions.


The vulnerability is caused due to an error within the handling of fragmented HTTP requests. This can be exploited to bypass Websense URL filtering and gain access to restricted websites via HTTP GET requests that are fragmented into multiple packets.


Successful exploitation requires that PIX, ASA, or FWSM are configured to use Websense/N2H2 for content filtering.


The vulnerability has been reported in the following products:

* Cisco PIX software version 6.3.x and older.

* Cisco PIX/ASA software version 7.x.

* Cisco FWSM software version 2.3 and 3.1.


Solution:

Update to the fixed versions.


FWSM version 2.3:

Update to version 2.3(4).

http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-fwsm?psrtdcat20e2


FWSM version 3.1:

Update to version 3.1(1.7).

Contact Cisco TAC or Cisco support partner for the updates.


PIX version 6.3.x:

Update to version 6.3.5(112).

Contact Cisco TAC or Cisco support partner for the updates.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion