Cisco today is expected to confront more directly last week’s allegations from NSS Labs that Cisco firewalls are vulnerable to a hacker exploit known as the “TCP Split Handshake,” an attack that would fool the firewall into thinking the IP connection is a trusted one inside the network.
The NSS Labs report published April 12 said firewalls from five vendors — Cisco, Fortinet, Juniper, Palo Alto Networks and SonicWall — each, for a variety of reasons, had failed a vulnerability-assessment test related to the TCP Split Handshake. Check Point’s firewall was the only one in the NSS Labs’ test that passed the TCP Split Handshake test under the NSS Labs method.
Cisco on April 14 refuted the findings by NSS Labs, which had tested a Cisco ASA 5585-40 firewall that had been supplied by a Cisco customer. “The NSS Labs Remediation Guide incorrectly lists the Cisco ASA as vulnerable to the TCP Split Handshake attack, and also mentions that there are no steps available to customer to mitigate or remediate this attack,” wrote Russ Smoak, director of Cisco Product Security Incident Response (PSIRT) in the Cisco Security Research & Operations, in his blog post. “Following an investigation over the course of several months, involving well over a dozen Cisco engineers from various teams and working in conjunction with NSS Labs, no vulnerability of this nature has been observed on Cisco products.”
Smoak said Cisco has investigated not only the ASA, but also its IOS firewall and its intrusion prevention appliances.
Smoak also described Cisco’s interactions with NSS Labs: “NSS Labs approached the Cisco PSIRT in January of this year with the TCP Split handshake attack and indicated that, during an investigation at another site, NSS reported that the Cisco ASA improperly permitted the TCP split handshake negotiation. At that time, NSS Labs provided Cisco the test scripts they used at the customer site and asked that we investigate. NSS Labs did not collect or provide Cisco any configuration information or packet captures to demonstrate the behavior they observed.”
Cisco was not able to reproduce the test results that NSS Labs had. Cisco says it has now supplied NSS Labs with a Cisco ASA firewall “in the hopes that they can gather some evidence of their claims and we are awaiting their test results.”
Vik Phatak, the chief technology officer who leads the research team at NSS Labs, says the vulnerability-assessment lab stands by the findings it published last week related to the Cisco ASA 5585-40. Cisco has now supplied the lab with a different firewall, the lower-end 5505, and NSS Labs is observing that it is vulnerable to the TCP Split Handshake attack as well.
Sign up for Computerworld eNewsletters.