COMMAND

    Cisco PIX Firewall

SYSTEMS AFFECTED

    Cisco PIX Firewall versions up to and including 4.2(1)

PROBLEM

    The  Cisco  PIX  Firewall  product  is  shipped  with a management
    application  known  as  PIX  Firewall  Manager,   or PFM. PFM is a
    Worldwide-Web-based  application,  and  includes  a  limited  HTTP
    server.   The  PFM  HTTP  server  runs  on Windows NT computers. A
    vulnerability in the PFM HTTP  server allows any attacker who  can
    connect to  the server  to retrieve  any file  known in advance to
    exist on the  Windows NT host.   In almost all  cases, this  means
    that  the  host  is  vulnerable  to  attack by any user inside the
    firewall, but not by users outside the firewall.  Read following.

    Brett Oliphant found following.   Cisco's management software  for
    the PIX Firewall  does not perform  proper checking of  urls.  The
    compromise is any file on the management server can be viewed with
    a web  browser.   This could  lead to  other more educated attacks
    against the  network.   To exploit  this vulnerability,  attackers
    must be able to make TCP  connections to port 8080 on the  NT host
    on which you have installed PFM. In all recommended configurations
    and in  the overwhelming  majority of  actual installations,  port
    8080 of  the PFM  host can  be reached  only from  inside the  PIX
    Firewall, not from the outside.  In addition, attackers must  know
    or discover  the names  and locations  of the  files they  wish to
    read.   This vulnerability  does not  permit "browsing"  of the NT
    host  or  reading  of  directories;  attackers must know where the
    target file  is, or  must make  repeated attempts  at guessing the
    location until the target file is found.

    If they can meet  these prerequisites, attackers can  retrieve any
    file or files on  the NT host on  which PFM is installed,  as well
    as any file  or files on  network servers accessible  through that
    host's  file  system.  All  files  readable to the "administrator"
    account are affected.  In most cases,  this includes all  files on
    the  local  disk,  and  many  or  most   files  on network-mounted
    volumes.   In  addition  to  obtaining  confidential   information
    directly, attackers may be  able to use information  obtained from
    the retrieved files to help them to conduct other attacks  against
    the NT host.  This  vulnerability can be exploited using  ordinary
    tools available on  most networked computer  systems. There is  no
    need for a special exploitation  program, nor is there a  need for
    any unusual technical skill.

SOLUTION

    This  vulnerability  affects  all  releases  of Cisco PIX Firewall
    Manager  up  to,  and  including,  release  4.2(1).  4.2(2)   beta
    releases are also affected. Fixed versions are available for  both
    4.1-based and 4.2-based  versions of PFM.   The fixed version  for
    4.1 is  4.1( 6b).  To use  PFM version  4.1(6b), you  must install
    software version  4.1(6) on  the PIX  Firewall itself.   The fixed
    version  for  4.2  is  4.2(2),  which  will be released along with
    4.2(2) software for the  PIX Firewall itself. 4.2(1)  PIX Firewall
    software is under  line stop because  of software quality  issues,
    and is not recommended  for use or installation.  Therefore, there
    will be  no PFM  fix for  4.2(1) PIX  Firewall software. Customers
    who are using  4.2(1) are advised  to downgrade to  version 4.1(6)
    on their PIX Firewalls,  and to install PFM  4.1(6b).  If this  is
    not possible, customers should  use the workarounds listed  below.
    All  releases  subsequent  to  these  repaired  releases will also
    include the fix. There will be no future vulnerable PFM releases.

    Because a software fix is available, Cisco believes that the  best
    response  for  the  vast  majority  of  customers is to upgrade to
    repaired  software.  These  workarounds   are  offered  only   for
    customers who are  unable to upgrade  for unusual reasons.   Cisco
    believes  that  many  customers  have  installed  the PIX Firewall
    Manager product on their NT workstations, but have finalized their
    PIX  Firewall  configurations  and  are  no  longer actively using
    PFM. The most effective  workaround for these customers  is simply
    to uninstall  PFM, and  to reinstall  a repaired  version later if
    necessary.   Another  possible  workaround  is  to  use   firewall
    devices, such  as the  PIX Firewall  itself, to  prevent untrusted
    users  from  making  connections  to  port  8080 on the NT host on
    which PFM in installed.  Depending on the customer  configuration,
    it may be desirable to move the NT host to the PIX Firewall's  DMZ
    network  to  prevent  access  by  unauthorized  inside  users; the
    security  of  the  other  systems  on  the  DMZ  network should be
    carefully considered in making this decision.  It is not  possible
    to stop  the PFM  HTTP server  from using  the NT  "administrator"
    account.