http://www.cisco.com/warp/public/707/pixftp-pub.shtml navbar Strip_FieldNotice Cisco Secure PIX Firewall FTP Vulnerabilities Revision 1.3 For public release 2000 March 16 05:00 PM US/Pacific (UTC+0800) ________________________________________________________________________________________________ Summary The Cisco Secure PIX Firewall interprets FTP (File Transfer Protocol) commands out of context and inappropriately opens temporary access through the firewall. This is an interim notice describing two related vulnerabilities. The first vulnerability is exercised when the firewall receives an error message from an internal FTP server containing an encapsulated command such that the firewall interprets it as a distinct command. This vulnerability can be exploited to open a separate connection through the firewall. This vulnerability is documented as Cisco Bug ID CSCdp86352. The second vulnerability is exercised when a client inside the firewall browses to an external server and selects a link that the firewall interprets as two or more FTP commands. The client begins an FTP connection as expected and at the same time unexpectedly executes another command opening a separate connection through the firewall. This vulnerability is documented as Cisco Bug ID CSCdr09226. Either vulnerability can be exploited to transmit information through the firewall without authorization. Fixed software and workarounds are available to address the first vulnerability. Fixed software is not yet available for the second vulnerability but a workaround is provided. Who Is Affected All users of Cisco Secure PIX Firewalls with software versions up to and including 4.2(5), 4.4(4), and 5.0(3) that provide access to FTP services are at risk from both vulnerabilities. Cisco Secure PIX Firewall with software version 5.1(1) is affected by the second vulnerability only. Cisco Secure Integrated Software (formerly Cisco IOS® Software Firewall Feature Set) is not affected by either vulnerability. Impact Any Cisco Secure PIX Firewall that has enabled the fixup protocol ftp command is at risk of unauthorized transmission of data through the firewall. Details The first vulnerability has been assigned Cisco bug ID CSCdp86352. The second vulnerability has been assigned Cisco bug ID CSCdr09226. The behavior is due to the command fixup protocol ftp [portnum], which is enabled by default on the Cisco Secure PIX Firewall. If you do not have protected FTP hosts with the accompanying configuration (configuration example below) you are not vulnerable to the attack which causes a server to send a valid command, encapsulated within an error message, and causes the firewall to read the encapsulated partial command as a valid command (CSCdp86352). To exploit this vulnerability, attackers must be able to make connections to an FTP server protected by the PIX Firewall. If your Cisco Secure PIX Firewall has configuration lines similar to the following: fixup protocol ftp 21 and either conduit permit tcp host 192.168.0.1 eq 21 any or conduit permit tcp 192.168.0.1 255.255.255.0 eq 21 any It is possible to fool the PIX stateful inspection into opening up arbitrary TCP ports, which could allow attackers to circumvent defined security policies. If you permit internal clients to make arbitrary FTP connections outbound, you may be vulnerable to the second vulnerability (CSCdr09226). This is an attack based on CERT advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests http://www.cert.org/advisories/CA-2000-02.html and detailed in the BUGTRAQ post: "Extending the FTP 'ALG' vulnerability to any FTP client" http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-08&msg=38C8C8EE.544524B1@ent ernet.se The recommendation in the workarounds section of this document will provide protection against this vulnerability. Response for the first vulnerability (CSCdp86352) The following changes have been made to the "fixup protocol FTP" behavior of the PIX Firewall: * Enforce that only the server can generate a reply indicating the PASV command was accepted. * Enforce that only the client can generate a PORT command. * Enforce that data channel is initiated from the expected side in an FTP transaction. * Verify that the "227" reply code and the PORT command are complete commands and not part of a "500" error code string broken into fragments. * Enforce that the port is not 0 or in the range between [1,1024] These or equivalent changes will be carried forward into all PIX Firewall software versions after version 5.1(1). Response for the second vulnerability (CSCdr09226) Cisco is working on a fix for this issue. This notice will be updated when we have produced a fix. Software Versions and Fixes Getting Fixed Software Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers with service contracts may upgrade to any software version. Customers without contracts may upgrade only within a single row of the table below, except that any available fixed software will be provided to any customer who can use it and for whom the standard fixed software is not yet available. As always, customers may install only the feature sets they have purchased. Version Affected Interim Release**(fix will carry forward into all later versions) Available Now through the TAC Projected first fixed regular release (fix will carry forward into all later versions) All versions of Cisco Secure PIX up to version 4.2(5) (including 2.7, 3.0, 3.1, 4.0, 4.1) 4.2(5)205** 4.2(6) Currently not scheduled.* All 4.3.x and 4.4.x up to and including version 4.4(4) 4.4(4)202** 4.4(5) Estimated date available: 2000 April 15* All 5.0.x up to and including version 5.0(1) 5.0(3)202** 5.0(4) Estimated date available: 2000 April 30* Version 5.1(1) - not affected- unaffected Currently available * All dates are tentative and subject to change ** Interim releases are subjected to less internal testing and verification than are regular releases, may have serious bugs, and should be installed with great care. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/. Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Hardware requirements If version 4.3 or 4.4 is utilized on a PIX 'Classic' (excludes PIX10000, PIX-510, PIX-520, and PIX-515) or If version 5.0 is utilized on a PIX 'Classic', PIX10000, or PIX-510 (excludes PIX-520 and PIX-515) A 128MB upgrade for the PIX Firewall is necessary. As with any new software installation, customers planning to upgrade should carefully read the release notes and other relevant documentation before beginning any upgrade. Also, it is important to be certain that the new version of Cisco Secure PIX Firewall software is supported by your hardware, and especially that enough memory is available. Workarounds The behaviors described in this document are a result of the default command fixup protocol ftp [portnum]. To disable this functionality, enter the command no fixup protocol ftp. This will disable support of the fixup of the FTP protocol in the PIX, and will eliminate the vulnerabilities. The command fixup protocol ftp 21 is the default setting of this feature, and is enabled by default on the Cisco Secure PIX Firewall. This workaround will force your clients to use FTP in passive mode, and inbound FTP service will not be supported. Outbound standard FTP will not work without fixup protocol ftp 21, however, passive FTP will function correctly with no fixup protocol ftp configured. Exploitation and Public Announcements This vulnerability was proposed on the BUGTRAQ list, and in follow-ups to the article, the Cisco Secure PIX Firewall was also identified as susceptible. As the vulnerabilities have been widely discussed, Cisco is posting this advisory prior to having a full fix. We will update this notice again, when we have a full fix available. Cisco has had no reports of malicious exploitation of this vulnerability. However, versions of exploit scripts have been posted to various security related lists. This vulnerability was reported to Cisco via several sources, shortly after the time of the original supposition. Status of This Notice This is an interim field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all the facts have been checked to the best of our ability. Cisco anticipates issuing updated versions of this notice within two weeks. Distribution This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/pixftp-pub.shtml. In addition to Worldwide Web posting, the initial version of this notice is being sent to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * bugtraq@securityfocus.com * first-teams@first.org (includes CERT/CC) * cisco@spot.colorado.edu * comp.dcom.sys.cisco * firewalls@lists.gnac.com * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History Revision 1.0 2000 March 16 08:00 AM US/Pacific (UTC+0800)- Initial public release Revision 1.1 2000 March 16 08:00 AM US/Pacific (UTC+0800) - Link corrections, table head clarification. Revision 1.3 2000 March 16 14:00 PM US/Pacific (UTC+0800) - Addition of 2nd vulnerability issues. Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. ________________________________________________________________________________________________ This notice is copyright 2000 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. ________________________________________________________________________________________________ Toolbar All contents copyright © 1992--2000 Cisco Systems Inc. Important Notices and Privacy Statement.