COMMAND
Cisco PIX
SYSTEMS AFFECTED
Up and including 4.4(6), 5.0(3), 5.1(3) and 5.2(2)
PROBLEM
Following is based on a Cisco Security Advisory. The Cisco
Secure PIX firewall feature "mailguard," which limits SMTP
commands to a specified minimum set of commands, can be bypassed.
This vulnerability can be exploited to bypass SMTP command
filtering. This vulnerability has been assigned Cisco bug ID
CSCdr91002 and CSCds30699. A new aspect of this vulnerability
has been assigned Cisco bug ID CSCds38708.
All users of Cisco Secure PIX Firewalls with software versions up
to and including 4.4(6), 5.0(3), 5.1(3) and 5.2(2) that provide
access to SMTP Mail services are at risk.
The behavior is a failure of the command "fixup protocol smtp
[portnum]", which is enabled by default on the Cisco Secure PIX
Firewall. If you do not have protected Mail hosts with the
accompanying configuration (configuration example below) you are
not affected by this vulnerability.
To exploit this vulnerability, attackers must be able to make
connections to an SMTP mail server protected by the PIX Firewall.
If your Cisco Secure PIX Firewall has configuration lines similar
to the following:
fixup protocol smtp 25
and either
conduit permit tcp host 192.168.0.1 eq 25 any
or
conduit permit tcp 192.168.0.1 255.255.255.0 eq 25 any
or
access-list 100 permit tcp any host 192.168.0.1 eq 25
access-group 100 in interface outside
The expected filtering of the Mailguard feature can be
circumvented by an attacker.
The Mailguard feature is intended to help protect weakly secured
mail servers. The workaround for this issue is to secure the mail
servers themselves, or upgrade to fixed PIX firewall code.
In order to exploit this vulnerability, an attacker would need to
also exploit the mailserver that is currently protected by the
PIX. If that server is already well configured, and has the
latest security patches and fixes from the SMTP vendor, that will
minimize the potential for exploitation of this vulnerability.
SOLUTION
The IOS Firewall featureset is not affected by either of the above
defects. There is not a direct work around for this vulnerability.
The potential for exploitation can be lessened by ensuring that
mail servers are secured without relying on the PIX functionality.
Cisco is offering free software upgrades to remedy this
vulnerability for all affected customers. Customers with service
contracts may upgrade to any software version. Customers without
contracts may upgrade only within a single row of the table below,
except that any available fixed software will be provided to any
customer who can use it and for whom the standard fixed software
is not yet available. As always, customers may install only the
feature sets they have purchased.
+-------------------------------------+----------------------------------+
| | Fixed Regular Release available |
| Version Affected | now; fix will carry forward into |
| | all later releases |
+-------------------------------------+----------------------------------+
| All versions of Cisco Secure PIX up | |
| to version 4.4(6) (including 2.7, | 4.4(7) |
| 3.0, 3.1, 4.0, 4.1) | |
+-------------------------------------+----------------------------------+
| Version 5.0.x up to and including | |
| version 5.0(3) | 5.1(4) |
+-------------------------------------+----------------------------------+
| All 5.1.x up to and including | |
| version 5.1(3)* | 5.1(4) |
+-------------------------------------+----------------------------------+
| Version 5.2(2) | 5.2(3) |
+-------------------------------------+----------------------------------+
* For customers who may have engineering releases addressing
specific unrelated defects, designated as 5.1(2)2xx, version
5.1(4) only includes the SMTP security fixes and does not
include any other bugfixes. Customers requiring engineering
releases to address specific unrelated defects will need to use
5.1.4(200) or 4.4.7(200), which include all SMTP vulnerability
fixes.