Cisco Secure PIX Firewall FTP Vulnerabilities Revision 1.3 For public release 2000 March 16 05:00 PM US/Pacific (UTC+0800) ======================================================================= Summary ======= The Cisco Secure PIX Firewall interprets FTP (File Transfer Protocol) commands out of context and inappropriately opens temporary access through the firewall. This is an interim notice describing two related vulnerabilities. The first vulnerability is exercised when the firewall receives an error message from an internal FTP server containing an encapsulated command such that the firewall interprets it as a distinct command. This vulnerability can be exploited to open a separate connection through the firewall. This vulnerability is documented as Cisco Bug ID CSCdp86352. The second vulnerability is exercised when a client inside the firewall browses to an external server and selects a link that the firewall interprets as two or more FTP commands. The client begins an FTP connection as expected and at the same time unexpectedly executes another command opening a separate connection through the firewall. This vulnerability is documented as Cisco Bug ID CSCdr09226. Either vulnerability can be exploited to transmit information through the firewall without authorization. Fixed software and workarounds are available to address the first vulnerability. Fixed software is not yet available for the second vulnerability but a workaround is provided. Who Is Affected =============== All users of Cisco Secure PIX Firewalls with software versions up to and including 4.2(5), 4.4(4), and 5.0(3) that provide access to FTP services are at risk from both vulnerabilities. Cisco Secure PIX Firewall with software version 5.1(1) is affected by the second vulnerability only. Cisco Secure Integrated Software (formerly Cisco IOSŪ Software Firewall Feature Set) is not affected by either vulnerability. Impact ====== Any Cisco Secure PIX Firewall that has enabled the fixup protocol ftp command is at risk of unauthorized transmission of data through the firewall. Details ======= The first vulnerability has been assigned Cisco bug ID CSCdp86352. The second vulnerability has been assigned Cisco bug ID CSCdr09226. The behavior is due to the command fixup protocol ftp [portnum], which is enabled by default on the Cisco Secure PIX Firewall. If you do not have protected FTP hosts with the accompanying configuration (configuration example below) you are not vulnerable to the attack which causes a server to send a valid command, encapsulated within an error message, and causes the firewall to read the encapsulated partial command as a valid command (CSCdp86352). To exploit this vulnerability, attackers must be able to make connections to an FTP server protected by the PIX Firewall. If your Cisco Secure PIX Firewall has configuration lines similar to the following: fixup protocol ftp 21 and either conduit permit tcp host 192.168.0.1 eq 21 any or conduit permit tcp 192.168.0.1 255.255.255.0 eq 21 any It is possible to fool the PIX stateful inspection into opening up arbitrary TCP ports, which could allow attackers to circumvent defined security policies. If you permit internal clients to make arbitrary FTP connections outbound, you may be vulnerable to the second vulnerability (CSCdr09226). This is an attack based on CERT advisory "CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests" and detailed in the BUGTRAQ post: "Extending the FTP 'ALG' vulnerability to any FTP client". The recommendation in the workarounds section of this document will provide protection against this vulnerability. Response for the first vulnerability (CSCdp86352) ================================================= The following changes have been made to the "fixup protocol FTP" behavior of the PIX Firewall: * Enforce that only the server can generate a reply indicating the PASV command was accepted. * Enforce that only the client can generate a PORT command. * Enforce that data channel is initiated from the expected side in an FTP transaction. * Verify that the "227" reply code and the PORT command are complete commands and not part of a "500" error code string broken into fragments. * Enforce that the port is not 0 or in the range between [1,1024] These or equivalent changes will be carried forward into all PIX Firewall software versions after version 5.1(1). Response for the second vulnerability (CSCdr09226) ================================================== Cisco is working on a fix for this issue. This notice will be updated when we have produced a fix. Software Versions and Fixes =========================== Getting Fixed Software ====================== Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers with service contracts may upgrade to any software version. Customers without contracts may upgrade only within a single row of the table below, except that any available fixed software will be provided to any customer who can use it and for whom the standard fixed software is not yet available. As always, customers may install only the feature sets they have purchased. Interim Release**(fix will carry forward into Projected first fixed Version Affected all later versions) regular release (fix will carry forward into Available Now through all later versions) the TAC All versions of Cisco Secure PIX up to version 4.2(5) 4.2(5)205** 4.2(6) Currently not (including 2.7, 3.0, scheduled.* 3.1, 4.0, 4.1) All 4.3.x and 4.4.x up 4.4(5) Estimated date to and including 4.4(4)202** available: 2000 April version 4.4(4) 15* All 5.0.x up to and 5.0(4) Estimated date including version 5.0(3)202** available: 2000 April 5.0(1) 30* Version 5.1(1) - not affected- unaffected Currently available * All dates are tentative and subject to change ** Interim releases are subjected to less internal testing and verification than are regular releases, may have serious bugs, and should be installed with great care. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/. Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: * +1 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Hardware requirements ===================== If version 4.3 or 4.4 is utilized on a PIX 'Classic' (excludes PIX10000, PIX-510, PIX-520, and PIX-515) or If version 5.0 is utilized on a PIX 'Classic', PIX10000, or PIX-510 (excludes PIX-520 and PIX-515) A 128MB upgrade for the PIX Firewall is necessary. As with any new software installation, customers planning to upgrade should carefully read the release notes and other relevant documentation before beginning any upgrade. Also, it is important to be certain that the new version of Cisco Secure PIX Firewall software is supported by your hardware, and especially that enough memory is available. Workarounds =========== The behaviors described in this document are a result of the default command "fixup protocol ftp [portnum]". To disable this functionality, enter the command "no fixup protocol ftp". This will disable support of the fixup of the FTP protocol in the PIX, and will eliminate the vulnerabilities. The command "fixup protocol ftp 21" is the default setting of this feature, and is enabled by default on the Cisco Secure PIX Firewall. This workaround will force your clients to use FTP in passive mode, and inbound FTP service will not be supported. Outbound standard FTP will not work without fixup protocol ftp 21, however, passive FTP will function correctly with no fixup protocol ftp configured. Exploitation and Public Announcements ===================================== This vulnerability was proposed on the BUGTRAQ list, and in follow-ups to the article, the Cisco Secure PIX Firewall was also identified as susceptible. As the vulnerabilities have been widely discussed, Cisco is posting this advisory prior to having a full fix. We will update this notice again, when we have a full fix available. Cisco has had no reports of malicious exploitation of this vulnerability. However, versions of exploit scripts have been posted to various security related lists. This vulnerability was reported to Cisco via several sources, shortly after the time of the original supposition. Status of This Notice ===================== This is an interim field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all the facts have been checked to the best of our ability. Cisco anticipates issuing updated versions of this notice within two weeks. Distribution ============ This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/pixftp-pub.shtml. In addition to Worldwide Web posting, the initial version of this notice is being sent to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * bugtraq@securityfocus.com * first-teams@first.org (includes CERT/CC) * cisco@spot.colorado.edu * comp.dcom.sys.cisco * firewalls@lists.gnac.com * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History ================ Revision 1.02000 March 16 08:00 AM US/Pacific (UTC+0800)- Initial public release Revision 1.12000 March 16 08:00 AM US/Pacific (UTC+0800) - Link corrections, table head clarification. Revision 1.32000 March 16 14:00 PM US/Pacific (UTC+0800) - Addition of 2nd vulnerability issues. Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. --------------------------------------------------------------------------- This notice is copyright 2000 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. --------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBONGR33LSeEveylnrAQGEaAgAipfZqhM1XoO6qKp11dVWw1obkzlKToP/ 6pUL8fLee+ujD74XGEHrlpLH/C6GDeISggNJjGmgphf92VI89YbsIctBw0f717u+ nxtnMCPlPJ2Y/ZaiipGQj+UersLc/A/oL+83JRDoM6G5d/YYD8/cZ35QbKyEdfB4 l40TGk13aFfkNklULv2INw3fiY3DCMX5hOAfEJ8/xXyuQDuTJdPC747TY30nKnD4 W1jyqLhQ02FmRy9AfL31Q2r91qPZ8gCYGTzIy8gs8r/l9qzgE/eiEeivhQ02luFC 4FBXFUJJ3xTioor2zLDRkoGoWvwyXMMtfvFFD35U7oZp3SCevtuvUA== =3jWU -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzXPH5oC2wEIAMeLeBbPlxIznjaMMKWFlhVgQ85n4wm6A1ZeVCm0D8zRzATl IKC365xXRKx8bwTn5XjKxZ5/XVuZjhsMS/CCa7B4FfxqjYBpEvfWEYDmPfzipTC3 nPAEc3T4yNWfaDKPxqv85WK+3yn0rpygWEgqw8+/n8QvoSbBEA9DU+5RTHIDEfOF vmqtDYB/2luIubN4X2jazwLeGhocarrbZmEW4fKsOpQ1xS1IuWbn9AWXjchMfL8z i+ow9p6BA2I0eqmP/c1Ld+cL/befk3/l8rPA7UUFOn1je7Fng0WAAUvjoHU56fO2 oF6rO5jfHFu6yBt2ouRem/KMzx6WctJ4S97KWesABRG0R0Npc2NvIFN5c3RlbXMg UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj aXNjby5jb20+iQEVAwUTNeY8KkZi51ggEbh5AQE64Af9HKKrj19Z5URxpZu1J/IG LpIJUsix8IHAudPCw/sNc7yipqwHVSDUGu1UKIEnQHP0jeAX98seyMCFdFzxChzc ZbUMXoa0H8nDhlHrAHUKWY66slfdDTBDV8ICdGTOZ9XcQOvoOAL8xhZJ0HTBcdM4 b2w3ECgEdxPiPhL0+gBbqZ4c1YQzVnxKG20G1Vs/NtIJW1nQrapCI5EysQO/srUL u1J/BHsVKfSjayROrQVGWU5pnpxiCr8PRivWFOEXu1xcJLs05wiVvuWmA3x8v8Bt c9xPx3bnpAiiaKOKDqZh0eja6+7/pYWnTdpXwXdS+lwNBneVLLF4I1IOs412BNpa TIkBFQMFEDXPH5py0nhL3spZ6wEBPzgH/Axh9Q8T4Gviyhcqn+pSk+Ug55nkzrvQ +IZx3v9eFbvgBX5q16pRifhniuppTUzkklvOKeQ0Oz7MG6ekDSQcP9PAAJL8Kik5 6MB1HbQTNxkr3qTBJELmXBRT7a6G4F2KzoEbphtS27p4v1MrJ2MWcc5HHrUpD8mE s4x9WhxXfPQSTRmJ9XcvIbv852y1bVMXwISt7TzpQuxH8oBLDhdlQu51ANd7hlAa 7N+M8CYvxmpYCgxlPh8XhAuZZmMSVbtX7TMvoPtFRkwaV0kitxvfch36JMrGK/0b AedGRFGSqa8+bZmCBFABsn+pziHwuXLZhsJ14e8V+zqacxZe2apOQ4mIPwMFEDXP IpCWgad8PVLgfxECuK8AoNBJNor02wuTI9mVACgaknKdSqn9AJ9vZg3u0d5lx3l+ QmkupOtBU40us4kBFQMFEDXPJBwMj7Lhmx7xKQEBhscIAJEkpzdvpzjHfETEZyml eUvq9IO1mVDQDQiyG02akI2PUe39Tl57jKjQ8Lyus0cfvHs7qVc8jj2e1+mUyXA1 AwWOZaJsgVdkZIFKJnU9MfN3XIxwwkg7g3dB99oPrAbTgWkKdodJmTnKsXntAYcm g7/4a5UYujJ2+J/7z1ZmiMtqHu4hU7B36DoxZadmaOPe1cIzsy+5vBgg5vesDLb4 O+3dae6BgsCay0eSLdfLkxI9hTGGiFTHrkgBaxOvQn6oUxVxnJC3EWfasJzFjjxS rXxNuUqL9fRXDNOYH2P9tcQtjOypZPOGgtLvwCf0rQl/6jNxIWTJHk/WXKbunvRK DIS0USBDaXNjbyBTeXN0ZW1zIHByb2R1Y3Qgc2VjdXJpdHkgaW5jaWRlbnQvYnVn IHJlcG9ydGluZyA8c2VjdXJpdHktYWxlcnRAY2lzY28uY29tPokBFQMFEDXPIS9y 0nhL3spZ6wEBGHEH/2CYREeuDDx1lrlqKcTuSn13eyuVasAC4nIRkuY5T+ipAHq0 p2fwQ0QyxGvMD8naoEiTwtO4tHWEfqaqG/txt0draa+//mX/qr865K/4qtDe2n6d Dz3uBy/wUn5i76302dthoUnbHpxug1NkKqop/FHYk9GztBMFlF+5COlBk5fYtYzD 2Nrhc5oA8lPBmJNAcM9ifVIEzYHEnJIcdoqrwGKCz91xxAjW+XnyWtiJ80mRDJx8 88qF5lmmmkopgrxrRwikHprFMsSzT9Vqt3Rts7PtPPOaSBlEcGgKOhN5PcWnpIar MeytrOkctsTjrqMaOEKudgaGgDrIgsBc6iYHwaaIPwMFEDXPIuWWgad8PVLgfxEC L9wAoOo4XEm03MsnyprNhw85ALRew0gZAKD6eXHl1C1ywrNTiWDH0SfR0j9qdokB FQMFEDXPJG8Mj7Lhmx7xKQEBcEQH/2mE5RbDsiZ++EAtWleejNT720qAEUQCtPdj yFRFiNhbc0yUhmoQ9dZKdujxKQWpZJt/5h7ax4VtPm3JtbQz8jgrugJYPYeERQSA qyimvjXwa4AFDsGwC1chtN+HnJwsixpLiHqx8k4CxKtPiKCVjLmZI3n+jZYXtlqb 73pMXOEzOMuKNkM8eteUO29b/h++rN6WPGlS4Ua9t4/sxy7yz6m6FLHzwudub6wl ZfDrBZJuhsOq81j7P+QJ0pAi9fjsyn0Kh4LfjFefcp+9AmRgYFW4N/RTcKLlakkq rj6iCGUMm174zA4vYEohi1ottOEfAxDtF+uLVM5+ONUc6s+1kns= =l8tP -----END PGP PUBLIC KEY BLOCK-----