COMMAND

    Cisco PIX

SYSTEMS AFFECTED

    Up and including 4.4(6), 5.0(3), 5.1(3) and 5.2(2)

PROBLEM

    Following  is  based  on  a  Cisco  Security  Advisory.  The Cisco
    Secure  PIX  firewall  feature  "mailguard,"  which  limits   SMTP
    commands to a specified minimum set of commands, can be  bypassed.
    This  vulnerability  can  be  exploited  to  bypass  SMTP  command
    filtering.   This  vulnerability  has  been  assigned Cisco bug ID
    CSCdr91002 and  CSCds30699.   A new  aspect of  this vulnerability
    has been assigned Cisco bug ID CSCds38708.

    All users of Cisco Secure PIX Firewalls with software versions  up
    to and including  4.4(6), 5.0(3), 5.1(3)  and 5.2(2) that  provide
    access to SMTP Mail services are at risk.

    The behavior  is a  failure of  the command  "fixup protocol  smtp
    [portnum]", which is  enabled by default  on the Cisco  Secure PIX
    Firewall.   If  you  do  not  have  protected  Mail hosts with the
    accompanying configuration (configuration  example below) you  are
    not affected by this vulnerability.

    To  exploit  this  vulnerability,  attackers  must be able to make
    connections to an SMTP mail server protected by the PIX  Firewall.
    If your Cisco Secure PIX Firewall has configuration lines  similar
    to the following:

        fixup protocol smtp 25

    and either

        conduit permit tcp host 192.168.0.1 eq 25 any

    or

        conduit permit tcp 192.168.0.1 255.255.255.0 eq 25 any

    or

        access-list 100 permit tcp any host 192.168.0.1 eq 25
        access-group 100 in interface outside

    The  expected   filtering  of   the  Mailguard   feature  can   be
    circumvented by an attacker.

    The Mailguard feature is  intended to help protect  weakly secured
    mail servers.  The workaround for this issue is to secure the mail
    servers themselves, or upgrade to fixed PIX firewall code.

    In order to exploit this vulnerability, an attacker would need  to
    also exploit  the mailserver  that is  currently protected  by the
    PIX.   If  that  server  is  already  well configured, and has the
    latest security patches and fixes from the SMTP vendor, that  will
    minimize the potential for exploitation of this vulnerability.

SOLUTION

    The IOS Firewall featureset is not affected by either of the above
    defects. There is not a direct work around for this vulnerability.
    The potential for  exploitation can be  lessened by ensuring  that
    mail servers are secured without relying on the PIX functionality.

    Cisco  is  offering   free  software  upgrades   to  remedy   this
    vulnerability for all affected customers.  Customers with  service
    contracts may upgrade to any software version.  Customers  without
    contracts may upgrade only within a single row of the table below,
    except that any available fixed  software will be provided to  any
    customer who can use it  and for whom the standard  fixed software
    is not yet available.   As always, customers may install  only the
    feature sets they have purchased.

    +-------------------------------------+----------------------------------+
    |                                     | Fixed Regular Release available  |
    | Version Affected                    | now; fix will carry forward into |
    |                                     | all later releases               |
    +-------------------------------------+----------------------------------+
    | All versions of Cisco Secure PIX up |                                  |
    | to version 4.4(6) (including 2.7,   | 4.4(7)                           |
    | 3.0, 3.1, 4.0, 4.1)                 |                                  |
    +-------------------------------------+----------------------------------+
    | Version 5.0.x up to and including   |                                  |
    | version 5.0(3)                      | 5.1(4)                           |
    +-------------------------------------+----------------------------------+
    | All 5.1.x up to and including       |                                  |
    | version 5.1(3)*                     | 5.1(4)                           |
    +-------------------------------------+----------------------------------+
    | Version 5.2(2)                      | 5.2(3)                           |
    +-------------------------------------+----------------------------------+

    * For  customers  who  may  have  engineering releases  addressing
      specific  unrelated  defects,  designated  as 5.1(2)2xx, version
      5.1(4)  only  includes  the  SMTP  security  fixes  and does not
      include  any  other  bugfixes.  Customers  requiring engineering
      releases to address specific unrelated defects will need to  use
      5.1.4(200) or 4.4.7(200),  which include all  SMTP vulnerability
      fixes.