Cisco Secure PIX Firewall SMTP Filtering Vulnerability
                                        
Version 1.0

  For Public Release 2001 September 26 08:00 AM US/Pacific (UTC+0800)
     ___________________________________________________________________
   
  Please provide your feedback on this document.
     ___________________________________________________________________
   
Summary

   The Cisco Secure PIX firewall feature "mailguard" which limits SMTP
   commands to a specified minimum set of commands can be bypassed.
   
   This vulnerability can be exploited to bypass SMTP command filtering.
   
   This vulnerability has been assigned Cisco bug ID CSCdu47003.
   
   The complete notice will be available at
   http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-regression-pu
   b.shtml.
   
Affected Products

   All users of Cisco Secure PIX Firewalls with software versions 6.0(1),
   5.2(5) and 5.2(4) that provide access to SMTP Mail services are at risk.
   Please see the table below for affected versions.
   
   The IOS Firewall feature set is not affected by the above defect.
   
Details

   The behavior is a failure of the command fixup protocol smtp [portnum],
   which is enabled by default on the Cisco Secure PIX Firewall.  The
   impact and description of this defect is similar to a defect outlined in
   a previous security advisory,
   http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml,
   however, this instance of mail filtering bypass was re-introduced by the
   defect CSCds90792.
   
   If you do not have protected Mail hosts with the accompanying
   configuration (configuration example below) you are not vulnerable to
   the attack.
   
   To exploit this vulnerability, attackers must be able to make
   connections to an SMTP mail server protected by the PIX Firewall. If
   your Cisco Secure PIX Firewall has configuration lines similar to the
   following:
   
     fixup protocol smtp 25
     and either
     conduit permit tcp host 192.168.0.1 eq 25 any
     or
     conduit permit tcp 192.168.0.1 255.255.255.0 eq 25 any
     or
     access-list 100 permit tcp any host 192.168.0.1 eq 25
     access-group 100 in interface outside
     
   The expected filtering of the Mailguard feature can be circumvented by
   an attacker.
   
Impact

   If the mail server itself is not properly secured, an attacker may be
   able to collect information about existing e-mail  accounts and aliases,
   or may be able to execute arbitrary code on the mail server.  In order
   to exploit this vulnerability, an attacker would need to also exploit
   the mailserver that is currently protected by the PIX. If that server is
   already well configured, and has the latest security patches and fixes
   from the SMTP vendor, that will minimize the potential for exploitation
   of this vulnerability.
   
   Please note that Cisco strongly recommends that security on all servers,
   workstations and network infrastructure gear is maintained as part of
   Standard Operating Procedures. Internet Firewalls do not protect against
   risk factors internal to a Firewalled network such as social
   engineering, rogue internal users or additional external access points
   to the internal network (i.e. modem pools or network fax machines) and
   as such should not be viewed as the only security measure necessary to
   ensure network integrity.
   
Software Versions and Fixes

Version Affected

   Interim Release
   Fix will carry forward into all later versions Fixed Regular Release;
   available now
   Fix will carry forward into all later versions
   4.4(7.202) 4.4(7.204) 4.4(8)
   5.1(4.206) 5.1(4.209) 5.1(5)
   5.2(3.210) 5.2(5.207) 5.2(6)
   5.3(1.200) 5.3(1.206) 5.3(2)
   6.0(1) 6.0(1.101) 6.1(1)
   
Obtaining Fixed Software

   Cisco is offering free software upgrades to remedy this vulnerability
   for all affected customers. Customers with service contracts may upgrade
   to any software version. Customers without contracts may upgrade only
   within a single row of the table above, except that any available fixed
   software will be provided to any customer who can use it and for whom
   the standard fixed software is not yet available. As always, customers
   may install only the feature sets they have purchased.
   
   Customers with contracts should obtain upgraded software through their
   regular update channels. For most customers, this means that upgrades
   should be obtained via the Software Center on Cisco's Worldwide Web site
   at http://www.cisco.com. Customers whose Cisco products are provided or
   maintained through prior or existing agreement with third-party support
   organizations such as Cisco Partners, authorized resellers, or service
   providers should contact that support organization for assistance with
   the upgrade, which should be free of charge.
   
   Customers who purchase direct from Cisco but who do not hold a Cisco
   service contract, and customers who purchase through third party vendors
   but are unsuccessful at obtaining fixed software through their point of
   sale, should get their upgrades by contacting the Cisco Technical
   Assistance Center (TAC). TAC contacts are as follows:
     * +1 800 553 2447 (toll-free from within North America)
     * +1 408 526 7209 (toll call from anywhere in the world)
     * e-mail: tac@cisco.com
       
   Give the URL of this notice as evidence of your entitlement to a free
   upgrade. Free upgrades for non-contract customers must be requested
   through the TAC. Please do not contact either "psirt@cisco.com" or
   "security-alert@cisco.com" for software upgrades.
   
Workarounds

   There is not a direct workaround for this vulnerability. The potential
   for exploitation can be lessened by ensuring that mail servers are
   secured without relying on the PIX functionality.
   
Exploitation and Public Announcements

   This vulnerability was discovered internally by Cisco, during expanded
   regression testing. This vulnerability has been discussed on public
   forums previously. This vulnerability has not been discussed recently,
   and has not been discussed with reference to the current versions of the
   PIX software.
   
Status of This Notice: FINAL

   This is a final notice. Although Cisco cannot guarantee the accuracy of
   all statements in this notice, all of the facts have been checked to the
   best of our ability. Cisco does not anticipate issuing updated versions
   of this notice unless there is some material change in the facts. Should
   there be a significant change in the facts, Cisco may update this
   notice.
   
Distribution

   This notice will be posted on Cisco's Worldwide Web site at
   http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-regression-pu
   b.shtml. In addition to Worldwide Web posting, a text version of this
   notice is clear-signed with the Cisco PSIRT PGP key and is posted to the
   following e-mail and Usenet news recipients:
     * cust-security-announce@cisco.com
     * bugtraq@securityfocus.com
     * first-teams@first.org (includes CERT/CC)
     * cisco@spot.colorado.edu
     * comp.dcom.sys.cisco
     * firewalls@lists.gnac.com
     * Various internal Cisco mailing lists
       
   Future updates of this notice, if any, will be placed on Cisco's
   Worldwide Web server, but may or may not be actively announced on
   mailing lists or newsgroups. Users concerned about this problem are
   encouraged to check the URL given above for any updates.
   
Revision History

   Revision 1.0 For public release 26-SEP-2001 08:00 AM US/Pacific
   (UTC-0800)
   
Cisco Security Procedures

   Complete information on reporting security vulnerabilities in Cisco
   products, obtaining assistance with security incidents, and registering
   to receive security information from Cisco, is available on Cisco's
   Worldwide Web site at
   http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
   includes instructions for press inquiries regarding Cisco security
   notices. All Cisco Security Advisories are available at
   http://www.cisco.com/go/psirt.
     ___________________________________________________________________
   
   This notice is Copyright 2001 by Cisco Systems, Inc. This notice may be
   redistributed freely after the release date given at the top of the
   text, provided that redistributed copies are complete and unmodified,
   and include all date and version information.
     ___________________________________________________________________