Date: Thu, 16 Mar 2000 21:16:22 -0500
From: [email protected]
To: [email protected]Subject: Cisco Security Notice: Cisco Secure PIX Firewall FTP Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Cisco Secure PIX Firewall FTP Vulnerabilities
Revision 1.3
For public release 2000 March 16 05:00 PM US/Pacific (UTC+0800)
Summary
=======
The Cisco Secure PIX Firewall interprets FTP (File Transfer Protocol)
commands out of context and inappropriately opens temporary access through
the firewall. This is an interim notice describing two related
vulnerabilities.
The first vulnerability is exercised when the firewall receives an error
message from an internal FTP server containing an encapsulated command such
that the firewall interprets it as a distinct command. This vulnerability
can be exploited to open a separate connection through the firewall. This
vulnerability is documented as Cisco Bug ID CSCdp86352.
The second vulnerability is exercised when a client inside the firewall
browses to an external server and selects a link that the firewall
interprets as two or more FTP commands. The client begins an FTP connection
as expected and at the same time unexpectedly executes another command
opening a separate connection through the firewall. This vulnerability is
documented as Cisco Bug ID CSCdr09226.
Either vulnerability can be exploited to transmit information through the
firewall without authorization.
Fixed software and workarounds are available to address the first
vulnerability. Fixed software is not yet available for the second
vulnerability but a workaround is provided.
Who Is Affected
===============
All users of Cisco Secure PIX Firewalls with software versions up to and
including 4.2(5), 4.4(4), and 5.0(3) that provide access to FTP services are
at risk from both vulnerabilities.
Cisco Secure PIX Firewall with software version 5.1(1) is affected by the
second vulnerability only.
Cisco Secure Integrated Software (formerly Cisco IOS╝ Software Firewall
Feature Set) is not affected by either vulnerability.
Impact
======
Any Cisco Secure PIX Firewall that has enabled the fixup protocol ftp
command is at risk of unauthorized transmission of data through the
firewall.
Details
=======
The first vulnerability has been assigned Cisco bug ID CSCdp86352. The
second vulnerability has been assigned Cisco bug ID CSCdr09226.
The behavior is due to the command fixup protocol ftp [portnum], which is
enabled by default on the Cisco Secure PIX Firewall.
If you do not have protected FTP hosts with the accompanying configuration
(configuration example below) you are not vulnerable to the attack which
causes a server to send a valid command, encapsulated within an error
message, and causes the firewall to read the encapsulated partial command as
a valid command (CSCdp86352).
To exploit this vulnerability, attackers must be able to make connections to
an FTP server protected by the PIX Firewall. If your Cisco Secure PIX
Firewall has configuration lines similar to the following:
fixup protocol ftp 21
and either
conduit permit tcp host 192.168.0.1 eq 21 any
or
conduit permit tcp 192.168.0.1 255.255.255.0 eq 21 any
It is possible to fool the PIX stateful inspection into opening up arbitrary
TCP ports, which could allow attackers to circumvent defined security
policies.
If you permit internal clients to make arbitrary FTP connections outbound,
you may be vulnerable to the second vulnerability (CSCdr09226). This is an
attack based on CERT advisory "CA-2000-02: Malicious HTML Tags Embedded in
Client Web Requests"<http://www.cert.org/advisories/CA-2000-02.html> and
detailed in the BUGTRAQ post: "Extending the FTP 'ALG' vulnerability to any
FTP client"<http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-08&msg=38C8C8EE.544524B1@enternet.se>.
The recommendation in the workarounds section of this document will provide
protection against this vulnerability.
Response for the first vulnerability (CSCdp86352)
The following changes have been made to the "fixup protocol FTP" behavior of
the PIX Firewall:
* Enforce that only the server can generate a reply indicating the PASV
command was accepted.
* Enforce that only the client can generate a PORT command.
* Enforce that data channel is initiated from the expected side in an FTP
transaction.
* Verify that the "227" reply code and the PORT command are complete
commands and not part of a "500" error code string broken into
fragments.
* Enforce that the port is not 0 or in the range between [1,1024]
These or equivalent changes will be carried forward into all PIX Firewall
software versions after version 5.1(1).
Response for the second vulnerability (CSCdr09226)
Cisco is working on a fix for this issue. This notice will be updated when
we have produced a fix.
Software Versions and Fixes
Getting Fixed Software
Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers. Customers with service contracts may upgrade to any
software version. Customers without contracts may upgrade only within a
single row of the table below, except that any available fixed software will
be provided to any customer who can use it and for whom the standard fixed
software is not yet available. As always, customers may install only the
feature sets they have purchased.
Interim Release**(fix
will carry forward into Projected first fixed
Version Affected all later versions) regular release (fix
will carry forward into
Available Now through all later versions)
the TAC
All versions of Cisco
Secure PIX up to
version 4.2(5) 4.2(5)205** 4.2(6) Currently not
(including 2.7, 3.0, scheduled.*
3.1, 4.0, 4.1)
All 4.3.x and 4.4.x up 4.4(5) Estimated date
to and including 4.4(4)202** available: 2000 April
version 4.4(4) 15*
All 5.0.x up to and 5.0(4) Estimated date
including version 5.0(3)202** available: 2000 April
5.0(1) 30*
Version 5.1(1) - not
affected- unaffected Currently available
* All dates are tentative and subject to change
Interim releases are subjected to less internal testing and verification
than are regular releases, may have serious bugs, and should be installed
with great care.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should
be obtained via the Software Center on Cisco's Worldwide Web site at
http://www.cisco.com/.
Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: [email protected]
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through
the TAC. Please do not contact either "[email protected]" or
"[email protected]" for software upgrades.
Hardware requirements
If version 4.3 or 4.4 is utilized on a PIX 'Classic' (excludes PIX10000,
PIX-510, PIX-520, and PIX-515)
or
If version 5.0 is utilized on a PIX 'Classic', PIX10000, or PIX-510
(excludes PIX-520 and PIX-515)
A 128MB upgrade for the PIX Firewall is necessary. As with any new software
installation, customers planning to upgrade should carefully read the
release notes and other relevant documentation before beginning any upgrade.
Also, it is important to be certain that the new version of Cisco Secure PIX
Firewall software is supported by your hardware, and especially that enough
memory is available.
Workarounds
===========
The behaviors described in this document are a result of the default command
"fixup protocol ftp [portnum]". To disable this functionality, enter the
command "no fixup protocol ftp". This will disable support of the fixup of
the FTP protocol in the PIX, and will eliminate the vulnerabilities. The
command "fixup protocol ftp 21" is the default setting of this feature, and
is enabled by default on the Cisco Secure PIX Firewall.
This workaround will force your clients to use FTP in passive mode, and
inbound FTP service will not be supported. Outbound standard FTP will not
work without fixup protocol ftp 21, however, passive FTP will function
correctly with no fixup protocol ftp configured.
Exploitation and Public Announcements
This vulnerability was proposed on the BUGTRAQ list, and in follow-ups to
the article, the Cisco Secure PIX Firewall was also identified as
susceptible. As the vulnerabilities have been widely discussed, Cisco is
posting this advisory prior to having a full fix. We will update this
notice again, when we have a full fix available.
Cisco has had no reports of malicious exploitation of this vulnerability.
However, versions of exploit scripts have been posted to various security
related lists.
This vulnerability was reported to Cisco via several sources, shortly after
the time of the original supposition.
Status of This Notice
This is an interim field notice. Although Cisco cannot guarantee the
accuracy of all statements in this notice, all the facts have been checked
to the best of our ability. Cisco anticipates issuing updated versions of
this notice within two weeks.
Distribution
============
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/pixftp-pub.shtml. In addition to
Worldwide Web posting, the initial version of this notice is being sent to
the following e-mail and Usenet news recipients:
* [email protected]
* [email protected]
* [email protected] (includes CERT/CC)
* [email protected]
* comp.dcom.sys.cisco
* [email protected]
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.
Revision History
================
Revision 1.02000 March 16 08:00 AM US/Pacific (UTC+0800)- Initial public
release
Revision 1.12000 March 16 08:00 AM US/Pacific (UTC+0800) - Link
corrections, table head clarification.
Revision 1.32000 March 16 14:00 PM US/Pacific (UTC+0800) - Addition of 2nd
vulnerability issues.
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's Worldwide
Web site at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security notices.
---------------------------------------------------------------------------
This notice is copyright 2000 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
all date and version information.
---------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBONGR33LSeEveylnrAQGEaAgAipfZqhM1XoO6qKp11dVWw1obkzlKToP/
6pUL8fLee+ujD74XGEHrlpLH/C6GDeISggNJjGmgphf92VI89YbsIctBw0f717u+
nxtnMCPlPJ2Y/ZaiipGQj+UersLc/A/oL+83JRDoM6G5d/YYD8/cZ35QbKyEdfB4
l40TGk13aFfkNklULv2INw3fiY3DCMX5hOAfEJ8/xXyuQDuTJdPC747TY30nKnD4
W1jyqLhQ02FmRy9AfL31Q2r91qPZ8gCYGTzIy8gs8r/l9qzgE/eiEeivhQ02luFC
4FBXFUJJ3xTioor2zLDRkoGoWvwyXMMtfvFFD35U7oZp3SCevtuvUA==
=3jWU
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQENAzXPH5oC2wEIAMeLeBbPlxIznjaMMKWFlhVgQ85n4wm6A1ZeVCm0D8zRzATl
IKC365xXRKx8bwTn5XjKxZ5/XVuZjhsMS/CCa7B4FfxqjYBpEvfWEYDmPfzipTC3
nPAEc3T4yNWfaDKPxqv85WK+3yn0rpygWEgqw8+/n8QvoSbBEA9DU+5RTHIDEfOF
vmqtDYB/2luIubN4X2jazwLeGhocarrbZmEW4fKsOpQ1xS1IuWbn9AWXjchMfL8z
i+ow9p6BA2I0eqmP/c1Ld+cL/befk3/l8rPA7UUFOn1je7Fng0WAAUvjoHU56fO2
oF6rO5jfHFu6yBt2ouRem/KMzx6WctJ4S97KWesABRG0R0Npc2NvIFN5c3RlbXMg
UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj
aXNjby5jb20+iQEVAwUTNeY8KkZi51ggEbh5AQE64Af9HKKrj19Z5URxpZu1J/IG
LpIJUsix8IHAudPCw/sNc7yipqwHVSDUGu1UKIEnQHP0jeAX98seyMCFdFzxChzc
ZbUMXoa0H8nDhlHrAHUKWY66slfdDTBDV8ICdGTOZ9XcQOvoOAL8xhZJ0HTBcdM4
b2w3ECgEdxPiPhL0+gBbqZ4c1YQzVnxKG20G1Vs/NtIJW1nQrapCI5EysQO/srUL
u1J/BHsVKfSjayROrQVGWU5pnpxiCr8PRivWFOEXu1xcJLs05wiVvuWmA3x8v8Bt
c9xPx3bnpAiiaKOKDqZh0eja6+7/pYWnTdpXwXdS+lwNBneVLLF4I1IOs412BNpa
TIkBFQMFEDXPH5py0nhL3spZ6wEBPzgH/Axh9Q8T4Gviyhcqn+pSk+Ug55nkzrvQ
+IZx3v9eFbvgBX5q16pRifhniuppTUzkklvOKeQ0Oz7MG6ekDSQcP9PAAJL8Kik5
6MB1HbQTNxkr3qTBJELmXBRT7a6G4F2KzoEbphtS27p4v1MrJ2MWcc5HHrUpD8mE
s4x9WhxXfPQSTRmJ9XcvIbv852y1bVMXwISt7TzpQuxH8oBLDhdlQu51ANd7hlAa
7N+M8CYvxmpYCgxlPh8XhAuZZmMSVbtX7TMvoPtFRkwaV0kitxvfch36JMrGK/0b
AedGRFGSqa8+bZmCBFABsn+pziHwuXLZhsJ14e8V+zqacxZe2apOQ4mIPwMFEDXP
IpCWgad8PVLgfxECuK8AoNBJNor02wuTI9mVACgaknKdSqn9AJ9vZg3u0d5lx3l+
QmkupOtBU40us4kBFQMFEDXPJBwMj7Lhmx7xKQEBhscIAJEkpzdvpzjHfETEZyml
eUvq9IO1mVDQDQiyG02akI2PUe39Tl57jKjQ8Lyus0cfvHs7qVc8jj2e1+mUyXA1
AwWOZaJsgVdkZIFKJnU9MfN3XIxwwkg7g3dB99oPrAbTgWkKdodJmTnKsXntAYcm
g7/4a5UYujJ2+J/7z1ZmiMtqHu4hU7B36DoxZadmaOPe1cIzsy+5vBgg5vesDLb4
O+3dae6BgsCay0eSLdfLkxI9hTGGiFTHrkgBaxOvQn6oUxVxnJC3EWfasJzFjjxS
rXxNuUqL9fRXDNOYH2P9tcQtjOypZPOGgtLvwCf0rQl/6jNxIWTJHk/WXKbunvRK
DIS0USBDaXNjbyBTeXN0ZW1zIHByb2R1Y3Qgc2VjdXJpdHkgaW5jaWRlbnQvYnVn
IHJlcG9ydGluZyA8c2VjdXJpdHktYWxlcnRAY2lzY28uY29tPokBFQMFEDXPIS9y
0nhL3spZ6wEBGHEH/2CYREeuDDx1lrlqKcTuSn13eyuVasAC4nIRkuY5T+ipAHq0
p2fwQ0QyxGvMD8naoEiTwtO4tHWEfqaqG/txt0draa+//mX/qr865K/4qtDe2n6d
Dz3uBy/wUn5i76302dthoUnbHpxug1NkKqop/FHYk9GztBMFlF+5COlBk5fYtYzD
2Nrhc5oA8lPBmJNAcM9ifVIEzYHEnJIcdoqrwGKCz91xxAjW+XnyWtiJ80mRDJx8
88qF5lmmmkopgrxrRwikHprFMsSzT9Vqt3Rts7PtPPOaSBlEcGgKOhN5PcWnpIar
MeytrOkctsTjrqMaOEKudgaGgDrIgsBc6iYHwaaIPwMFEDXPIuWWgad8PVLgfxEC
L9wAoOo4XEm03MsnyprNhw85ALRew0gZAKD6eXHl1C1ywrNTiWDH0SfR0j9qdokB
FQMFEDXPJG8Mj7Lhmx7xKQEBcEQH/2mE5RbDsiZ++EAtWleejNT720qAEUQCtPdj
yFRFiNhbc0yUhmoQ9dZKdujxKQWpZJt/5h7ax4VtPm3JtbQz8jgrugJYPYeERQSA
qyimvjXwa4AFDsGwC1chtN+HnJwsixpLiHqx8k4CxKtPiKCVjLmZI3n+jZYXtlqb
73pMXOEzOMuKNkM8eteUO29b/h++rN6WPGlS4Ua9t4/sxy7yz6m6FLHzwudub6wl
ZfDrBZJuhsOq81j7P+QJ0pAi9fjsyn0Kh4LfjFefcp+9AmRgYFW4N/RTcKLlakkq
rj6iCGUMm174zA4vYEohi1ottOEfAxDtF+uLVM5+ONUc6s+1kns=
=l8tP
-----END PGP PUBLIC KEY BLOCK-----