Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-Disclosure] Potential denial of service bug in Cisco Pix Firewall IOS 6.2.2 a nd 6.3.(3.102)

Date: Fri Oct 03 2003 - 09:13:25 CDT

Brief Description

Users of Cisco Pix Firewalls may discover that their pool of NAT'ted IP
addresses is running out, and that a reboot or reload of the firewall clears
the problem.


The problem is caused by the Firewall being swamped by incoming ICMP packets
on the global pool IP addresses. If these are not intercepted by a router
beforehand, the incoming echo requests (that are emanating from
Nachi/Welchia worm infected machines) are preventing the release of the
address translation. ie, the Pix is detecting the blocked traffic as
indication that the translation is still in use.

I believe that this bug also affects the recent security update version
6.3(3.102) detailed at

I have been unable (and unwilling) to test this, but given that a permanent
fix is being worked on it is undoubtedly the case.


For those who are unable to block incoming ICMP echo requests at their
router (for whatever reason), Cisco have sent me the following details:

"1- use PAT (a global pool with a single entry) this way although the xlate
will remain up but all your internal hosts will be multiplexed over this pat
address. single pat address can accomodate in theory 65535 connections.
however this might break un-PATable traffic

2- use statics for your important servers that need NAT (1 to 1 mapping)

3- also instead of rebooting the whole pix you can simply log into it and do
"clear xlate" this will clear all translations."

It should be pointed out that "2" is not a solution to this problem. The
others are not ideal either.

Permanent fix

I have been informed that Cisco are aware of this and that a bug fix is
being worked on.


I am releasing this notification as there may well be system adminstrators
who are still suffering from this problem. Specifically the release of this
information cannot lead to any further attacks against systems that are
already affected.

Unfortunately Cisco have not updated their information regarding mitigation
against the Nachi/Welchia worm at

The mitigation information only covers outgoing connections. I have asked
Cisco for a fix to for this twice, and at present I am still waiting for a
resolution to my second request.

Apologies for the evil Outlook word-wrapping, which may render URLs above

Please be kind to me. This is my first security vulnerability I've ever

John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Aireyrnib.org.uk

Our world is intolerant, and always will be. We kid ourselves when we think
that those who have different values can tolerate each other.


NOTICE: The information contained in this email and any attachments is
confidential and may be privileged. If you are not the intended
recipient you should not use, disclose, distribute or copy any of the
content of it or of any attachment; you are requested to notify the
sender immediately of your receipt of the email and then to delete it
and any attachments from your system.

RNIB endeavours to ensure that emails and any attachments generated by
its staff are free from viruses or other contaminants. However, it
cannot accept any responsibility for any such which are transmitted.
We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email and
any attachments are those of the author and do not necessarily represent
those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html