COMMAND
cisco
SYSTEMS AFFECTED
Cisco (see below)
PROBLEM
Following is based on Cisco Security Notice. The Cisco Secure
PIX Firewall interprets FTP (File Transfer Protocol) commands out
of context and inappropriately opens temporary access through the
firewall. This is an interim notice describing two related
vulnerabilities.
The first vulnerability is exercised when the firewall receives
an error message from an internal FTP server containing an
encapsulated command such that the firewall interprets it as a
distinct command. This vulnerability can be exploited to open a
separate connection through the firewall. This vulnerability is
documented as Cisco Bug ID CSCdp86352.
The second vulnerability is exercised when a client inside the
firewall browses to an external server and selects a link that
the firewall interprets as two or more FTP commands. The client
begins an FTP connection as expected and at the same time
unexpectedly executes another command opening a separate
connection through the firewall. This vulnerability is
documented as Cisco Bug ID CSCdr09226.
Affected are all users of Cisco Secure PIX Firewalls with software
versions up to and including 4.2(5), 4.4(4), and 5.0(3) that
provide access to FTP services are at risk from both
vulnerabilities. Cisco Secure PIX Firewall with software version
5.1(1) is affected by the second vulnerability only.
Any Cisco Secure PIX Firewall that has enabled the fixup protocol
ftp command is at risk of unauthorized transmission of data
through the firewall.
The behavior is due to the command fixup protocol ftp [portnum],
which is enabled by default on the Cisco Secure PIX Firewall.
If you do not have protected FTP hosts with the accompanying
configuration (configuration example below) you are not
vulnerable to the attack which causes a server to send a valid
command, encapsulated within an error message, and causes the
firewall to read the encapsulated partial command as a valid
command (CSCdp86352).
To exploit this vulnerability, attackers must be able to make
connections to an FTP server protected by the PIX Firewall. If
your Cisco Secure PIX Firewall has configuration lines similar to
the following:
fixup protocol ftp 21
and either
conduit permit tcp host 192.168.0.1 eq 21 any
or
conduit permit tcp 192.168.0.1 255.255.255.0 eq 21 any
It is possible to fool the PIX stateful inspection into opening
up arbitrary TCP ports, which could allow attackers to circumvent
defined security policies.
If you permit internal clients to make arbitrary FTP connections
outbound, you may be vulnerable to the second vulnerability
(CSCdr09226). This is an attack based on CERT advisory
"CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests
and detailed in the BUGTRAQ post: "Extending the FTP 'ALG'
vulnerability to any FTP client:
http://oliver.efri.hr/~crv/security/bugs/Others/fw-13.html
SOLUTION
Cisco Secure Integrated Software (formerly Cisco IOSŪ Software
Firewall Feature Set) is not affected by either vulnerability.
Response for the first vulnerability (CSCdp86352)
=================================================
The following changes have been made to the "fixup protocol FTP"
behavior of the PIX Firewall:
* Enforce that only the server can generate a reply
indicating the PASV command was accepted.
* Enforce that only the client can generate a PORT command.
* Enforce that data channel is initiated from the expected
side in an FTP transaction.
* Verify that the "227" reply code and the PORT command are
complete commands and not part of a "500" error code string
broken into fragments.
* Enforce that the port is not 0 or in the range between
[1,1024]
These or equivalent changes will be carried forward into all PIX
Firewall software versions after version 5.1(1).
Response for the second vulnerability (CSCdr09226)
==================================================
Cisco is working on a fix for this issue. This advisory will be
updated when we have produced a fix.
Cisco is offering free software upgrades to remedy this
vulnerability for all affected customers. Customers with service
contracts may upgrade to any software version. Customers without
contracts may upgrade only within a single row of the table below,
except that any available fixed software will be provided to any
customer who can use it and for whom the standard fixed software
is not yet available. As always, customers may install only the
feature sets they have purchased.
Interim Release**(fix
will carry forward into Projected first fixed
Version Affected all later versions) regular release (fix
will carry forward into
Available Now through all later versions)
the TAC
All versions of Cisco
Secure PIX up to
version 4.2(5) 4.2(5)205** 4.2(6) Currently not
(including 2.7, 3.0, scheduled.*
3.1, 4.0, 4.1)
All 4.3.x and 4.4.x up 4.4(5) Estimated date
to and including 4.4(4)202** available: 2000 April
version 4.4(4) 15*
All 5.0.x up to and 5.0(4) Estimated date
including version 5.0(3)202** available: 2000 April
5.0(1) 30*
Version 5.1(1) - not
affected- unaffected Currently available
* All dates are tentative and subject to change
** Interim releases are subjected to less internal testing and
verification than are regular releases, may have serious bugs,
and should be installed with great care.
Hardware requirements
=====================
If version 4.3 or 4.4 is utilized on a PIX 'Classic' (excludes
PIX10000, PIX-510, PIX-520, and PIX-515) or if version 5.0 is
utilized on a PIX 'Classic', PIX10000, or PIX-510 (excludes
PIX-520 and PIX-515)
A 128MB upgrade for the PIX Firewall is necessary. As with any
new software installation, customers planning to upgrade should
carefully read the release notes and other relevant documentation
before beginning any upgrade. Also, it is important to be certain
that the new version of Cisco Secure PIX Firewall software is
supported by your hardware, and especially that enough memory is
available.
Workarounds
===========
The behaviors described in this document are a result of the
default command "fixup protocol ftp [portnum]". To disable this
functionality, enter the command "no fixup protocol ftp". This
will disable support of the fixup of the FTP protocol in the PIX,
and will eliminate the vulnerabilities. The command "fixup
protocol ftp 21" is the default setting of this feature, and is
enabled by default on the Cisco Secure PIX Firewall. This
workaround will force your clients to use FTP in passive mode,
and inbound FTP service will not be supported. Outbound standard
FTP will not work without fixup protocol ftp 21, however, passive
FTP will function correctly with no fixup protocol ftp configured.