COMMAND

    cisco

SYSTEMS AFFECTED

    Cisco (see below)

PROBLEM

    Following is  based on  Cisco Security  Notice.   The Cisco Secure
    PIX Firewall interprets FTP (File Transfer Protocol) commands  out
    of context and inappropriately opens temporary access through  the
    firewall.   This  is  an  interim  notice  describing  two related
    vulnerabilities.

    The first  vulnerability is  exercised when  the firewall receives
    an  error  message  from  an  internal  FTP  server  containing an
    encapsulated command  such that  the firewall  interprets it  as a
    distinct command.  This vulnerability  can be exploited to open  a
    separate connection through the  firewall.  This vulnerability  is
    documented as Cisco Bug ID CSCdp86352.

    The second  vulnerability is  exercised when  a client  inside the
    firewall browses  to an  external server  and selects  a link that
    the firewall interprets as two  or more FTP commands.   The client
    begins  an  FTP  connection  as  expected  and  at  the  same time
    unexpectedly  executes   another  command   opening  a    separate
    connection   through   the   firewall.    This   vulnerability  is
    documented as Cisco Bug ID CSCdr09226.

    Affected are all users of Cisco Secure PIX Firewalls with software
    versions  up  to  and  including  4.2(5),  4.4(4), and 5.0(3) that
    provide  access   to  FTP   services  are   at  risk   from   both
    vulnerabilities. Cisco Secure  PIX Firewall with  software version
    5.1(1) is affected by the second vulnerability only.

    Any Cisco Secure PIX Firewall that has enabled the fixup  protocol
    ftp  command  is  at  risk  of  unauthorized  transmission of data
    through the firewall.

    The behavior is due to  the command fixup protocol ftp  [portnum],
    which is  enabled by  default on  the Cisco  Secure PIX  Firewall.
    If  you  do  not  have  protected  FTP hosts with the accompanying
    configuration   (configuration   example   below)   you   are  not
    vulnerable to  the attack  which causes  a server  to send a valid
    command,  encapsulated  within  an  error  message, and causes the
    firewall  to  read  the  encapsulated  partial  command as a valid
    command (CSCdp86352).

    To  exploit  this  vulnerability,  attackers  must be able to make
    connections to an  FTP server protected  by the PIX  Firewall.  If
    your Cisco Secure PIX Firewall has configuration lines similar  to
    the following:

        fixup protocol ftp 21

    and either

        conduit permit tcp host 192.168.0.1 eq 21 any

    or

        conduit permit tcp 192.168.0.1 255.255.255.0 eq 21 any

    It is possible  to fool the  PIX stateful inspection  into opening
    up arbitrary TCP ports, which could allow attackers to  circumvent
    defined security policies.

    If you permit internal  clients to make arbitrary  FTP connections
    outbound,  you  may  be  vulnerable  to  the  second vulnerability
    (CSCdr09226).   This   is  an  attack   based  on  CERT   advisory
    "CA-2000-02:  Malicious HTML Tags Embedded in Client Web  Requests
    and  detailed  in  the  BUGTRAQ  post:  "Extending  the  FTP 'ALG'
    vulnerability to any FTP client:

        http://oliver.efri.hr/~crv/security/bugs/Others/fw-13.html

SOLUTION

    Cisco  Secure  Integrated  Software  (formerly Cisco IOSŪ Software
    Firewall Feature Set) is not affected by either vulnerability.

    Response for the first vulnerability (CSCdp86352)
    =================================================
    The following changes have been  made to the "fixup protocol  FTP"
    behavior of the PIX Firewall:

        * Enforce  that  only  the  server  can  generate  a     reply
          indicating the PASV command was accepted.
        * Enforce that only the client can generate a PORT command.
        * Enforce  that data  channel is  initiated from  the expected
          side in an FTP transaction.
        * Verify that  the "227" reply  code and the  PORT command are
          complete commands and not part of a "500" error code  string
          broken into fragments.
        * Enforce  that the  port is  not 0  or in  the range  between
          [1,1024]

    These or equivalent changes will be carried forward into all   PIX
    Firewall software versions after version 5.1(1).

    Response for the second vulnerability (CSCdr09226)
    ==================================================
    Cisco is working on a fix  for this issue.  This advisory  will be
    updated when we have produced a fix.

    Cisco  is  offering   free  software  upgrades   to  remedy   this
    vulnerability for all affected customers.  Customers with  service
    contracts may upgrade to any software version.  Customers  without
    contracts may upgrade only within a single row of the table below,
    except that any available fixed  software will be provided to  any
    customer who can use it  and for whom the standard  fixed software
    is not yet  available. As always,  customers may install  only the
    feature sets they have purchased.

                                Interim Release**(fix
                                will carry forward into Projected first fixed
        Version Affected        all later versions)     regular release (fix
                                                        will carry forward into
                                Available Now through   all later versions)
                                the TAC
        
        All versions of Cisco
        Secure PIX up to
        version 4.2(5)          4.2(5)205**             4.2(6) Currently not
        (including 2.7, 3.0,                            scheduled.*
        3.1, 4.0, 4.1)
        All 4.3.x and 4.4.x up                          4.4(5) Estimated date
        to and including        4.4(4)202**             available: 2000 April
        version 4.4(4)                                  15*
        All 5.0.x up to and                             5.0(4) Estimated date
        including version       5.0(3)202**             available: 2000 April
        5.0(1)                                          30*
        Version 5.1(1) - not
        affected-               unaffected              Currently available

    * All dates are tentative and subject to change
   ** Interim  releases  are  subjected  to less internal testing  and
      verification than are regular  releases, may have serious  bugs,
      and should be installed with great care.

    Hardware requirements
    =====================
    If version  4.3 or  4.4 is  utilized on  a PIX 'Classic' (excludes
    PIX10000,  PIX-510,  PIX-520,  and  PIX-515)  or if version 5.0 is
    utilized  on  a  PIX  'Classic',  PIX10000,  or  PIX-510 (excludes
    PIX-520 and PIX-515)

    A 128MB upgrade for  the PIX Firewall is  necessary.  As with  any
    new software  installation, customers  planning to  upgrade should
    carefully read the release notes and other relevant  documentation
    before beginning any upgrade.  Also, it is important to be certain
    that the  new version  of Cisco  Secure PIX  Firewall software  is
    supported by your hardware,  and especially that enough  memory is
    available.

    Workarounds
    ===========
    The  behaviors  described  in  this  document  are a result of the
    default command "fixup protocol  ftp [portnum]".  To  disable this
    functionality, enter the  command "no fixup  protocol ftp".   This
    will disable support of the fixup of the FTP protocol in the  PIX,
    and  will  eliminate  the  vulnerabilities.   The  command  "fixup
    protocol ftp 21"  is the default  setting of this  feature, and is
    enabled  by  default  on  the  Cisco  Secure  PIX  Firewall.  This
    workaround will  force your  clients to  use FTP  in passive mode,
    and inbound FTP service will not be supported.  Outbound  standard
    FTP will not work without fixup protocol ftp 21, however,  passive
    FTP will function correctly with no fixup protocol ftp configured.