Cisco Investigation for TCP Split-Handshake Issue Reported by NSS
Updated May 9th: After a thorough investigation of the TCP Split Handshake issue raised by NSS Labs, Cisco has confirmed that the Cisco ASA firewall is not susceptible to this issue. In all test cases examined, the ASA operates as expected, providing protection in its default configuration against the Split-Handshake as defined in the original TCP Split Handshake paper. As a result, the Cisco PSIRT closed this investigation on May 4th.
Cisco appreciates the extended engagement and data provided by NSS Labs as we’ve worked through these scenarios. During two recent visits to NSS Labs, Cisco was presented with a number of scenarios, including new test cases that deviated from the original Split-Handshake scenario. The Cisco PSIRT collected traces and provided feedback to NSS Labs on all scenarios. In each case, Cisco demonstrated successful network protection through the default ASA configuration or the implementation of firewall policies that are fully supported, documented and used pervasively in enterprise deployments.
As always vulnerability reports should continue to be reported to the PSIRT organization (email@example.com). Cisco customers are encouraged to contact their account manager with any questions.
Recently there’s been some activity in the press regarding an NSS Labs report on potential vulnerabilities in Next-Generation Firewalls (NGFW). The Cisco Adaptive Security Appliance (ASA) was one of the products mentioned as vulnerable to these attacks. Based on the investigation of this issue to date, the data indicates that Cisco customers are not exposed to this issue. As always, should the vulnerability be confirmed the Cisco Product Security Incident Response Team (PSIRT) will investigate, drive remediation and disclose per our normal communication channels. (PSIRT Vulnerability Policy)
On April 12th, NSS Labs published a report regarding vulnerabilities on a number of firewalls, including Cisco’s ASA product line. The full report has a hefty $3500 price tag, but NSS does provide a free (with registration) “Remediation Guide,” for users of these firewalls.
The NSS Labs Remediation Guide incorrectly lists the Cisco ASA as vulnerable to the TCP Split Handshake attack, and also mentions that there are no steps available to customers to mitigate or remediate this attack.
Following an investigation over the course of several months, involving well over a dozen Cisco engineers from various teams and working in conjunction with NSS Labs, no vulnerability of this nature has been observed on Cisco products. The following products have been investigated:
- Cisco ASA
- Cisco IOS Firewall
- Cisco Intrusion Protection (IPS) Appliances
It’s important to note that the NSS Labs report focuses only on one attack called the TCP Split Handshake, which is a third means to initiate TCP sessions that combines features of both the three-way handshake and the simultaneous-open connection.
However, the goal of this post isn’t to discuss the technical details of TCP handshakes, but rather to present what Cisco has done and is doing to investigate the impact to our products and protect our customers.
NSS Labs approached the Cisco PSIRT in January of this year with the TCP Split Handshake attack and indicated that, during an investigation at another site, NSS reported that the Cisco ASA improperly permitted the TCP split handshake negotiation. At that time, NSS Labs provided Cisco the test scripts they used at the customer site and asked that we investigate. NSS did not collect or provide Cisco any configuration information or packet captures to demonstrate the behavior they observed.
As part of our standard investigation process, we filed bugs to document and investigate the issues, not only for the ASA, but other potentially affected products such as the Cisco IOS Firewall feature (IOS-FW) and the Cisco Intrusion Prevention System (IPS).
Once we set to work trying to reproduce the issue on the ASA, we began freely exchanging our lab configuration and testing results with NSS and asking for any additional guidance they could provide. To date, Cisco has tested using numerous configuration, software and platform combinations, and all of the aforementioned products have blocked the TCP split handshake negotiation correctly. NSS no longer had access to an ASA, so they have been unable to reproduce the suspected behavior or provide any detailed information to aid the investigation.
Fast-forward to April, and we’re still unable to reproduce the TCP split handshake issue. Last week we sent NSS Labs a Cisco ASA in the hopes that they can gather some evidence of their claims and we are awaiting their test results. The Cisco PSIRT has made the bugs that were filed for investigation public, and based on the lack of evidence has closed them effective today. The Cisco PSIRT will continue to work with NSS and re-open the bugs should an issue be discovered.
And since only customers with service contracts can access the Cisco bug toolkit to review the bugs, Cisco will increase the transparency on this issue by also documenting the investigation via IntelliShield Alert 22462 which has been made public to all Cisco.com visitors.