Updated May 9th: After a thorough investigation of the TCP Split Handshake issue raised by NSS Labs, Cisco has confirmed that the Cisco ASA firewall is not susceptible to this issue. In all test cases examined, the ASA operates as expected, providing protection in its default configuration against the Split-Handshake as defined in the original TCP Split Handshake paper. As a result, the Cisco PSIRT closed this investigation on May 4th.
Cisco appreciates the extended engagement and data provided by NSS Labs as we’ve worked through these scenarios. During two recent visits to NSS Labs, Cisco was presented with a number of scenarios, including new test cases that deviated from the original Split-Handshake scenario. The Cisco PSIRT collected traces and provided feedback to NSS Labs on all scenarios. In each case, Cisco demonstrated successful network protection through the default ASA configuration or the implementation of firewall policies that are fully supported, documented and used pervasively in enterprise deployments.
As always vulnerability reports should continue to be reported to the PSIRT organization (email@example.com). Cisco customers are encouraged to contact their account manager with any questions.
Recently there’s been some activity in the press regarding an NSS Labs report on potential vulnerabilities in Next-Generation Firewalls (NGFW). The Cisco Adaptive Security Appliance (ASA) was one of the products mentioned as vulnerable to these attacks. Based on the investigation of this issue to date, the data indicates that Cisco customers are not exposed to this issue. As always, should the vulnerability be confirmed the Cisco Product Security Incident Response Team (PSIRT) will investigate, drive remediation and disclose per our normal communication channels. (PSIRT Vulnerability Policy)
On April 12th, NSS Labs published a report regarding vulnerabilities on a number of firewalls, including Cisco’s ASA product line. The full report has a hefty $3500 price tag, but NSS does provide a free (with registration) “Remediation Guide,” for users of these firewalls.
The NSS Labs Remediation Guide incorrectly lists the Cisco ASA as vulnerable to the TCP Split Handshake attack, and also mentions that there are no steps available to customers to mitigate or remediate this attack.
Following an investigation over the course of several months, involving well over a dozen Cisco engineers from various teams and working in conjunction with NSS Labs, no vulnerability of this nature has been observed on Cisco products. The following products have been investigated:
- Cisco ASA
- Cisco IOS Firewall
- Cisco Intrusion Protection (IPS) Appliances
It’s important to note that the NSS Labs report focuses only on one attack called the TCP Split Handshake, which is a third means to initiate TCP sessions that combines features of both the three-way handshake and the simultaneous-open connection.
However, the goal of this post isn’t to discuss the technical details of TCP handshakes, but rather to present what Cisco has done and is doing to investigate the impact to our products and protect our customers.