Cisco admits to serious PIX firewall flaw

Cisco last week admitted that two security vulnerabilities affecting its PIX firewalls could leave corporate networks open to attack.

In an interim security notice, the vendor acknowledged the existence of two related vulnerabilities that both cause its Secure PIX Firewalls to interpret FTP (File Transfer Protocol) commands out of context, leaving the networks behind the firewalls open to penetration.

Cisco said that in certain configurations "it is possible to fool the PIX stateful inspection into opening up arbitrary TCP ports, which could allow attackers to circumvent defined security policies".

All Cisco Secure PIX Firewalls with software versions up to and including 4.2(5), 4.4(4), and 5.0(3), that are configured to provide access to FTP services, are at risk from both vulnerabilities. Cisco admitted that the problem means any Cisco Secure PIX Firewall that has enabled the fix-up protocol FTP command could allow unauthorised data to reach the network it is designed to protect.

Deri Jones, managing director of security tester NTA Monitor, described the issue as "serious", particularly because Cisco's offering is currently the third most popular firewall in the market.

"To Cisco's credit it has issued a bulletin, but has not yet found any solutions. This will not be trivial to address and may take it some time," warned Jones.

Clive McCafferty, managing director of security consultant CenturyCom, said that many users, which include BT, use Cisco's PIX firewalls for managed services.

"This could allow an attacker to send spurious stuff and then launch an attack when a port is open," said McCafferty.

The first vulnerability, which remains unfixed, is exercised when a client inside the firewall browses to an external server and selects a link that the firewall interprets as two or more FTP commands. The client begins an FTP connection as expected, and at the same time unexpectedly executes another command opening a separate connection through the firewall.

The only solution Cisco currently suggests for this problem is disabling incoming FTP services. Any server that permits internal clients to make arbitrary outbound FTP connections may be vulnerable to this issue.

The second, related problem is exercised when the firewall receives an error message from an internal FTP server containing an encapsulated command that the firewall interprets as a distinct command. This can be exploited to open a separate connection through the firewall.

Both vulnerabilities are due to the command fix-up protocol FTP (portnum), which is enabled by default on the Cisco Secure PIX Firewall. To exploit the security flaws, attackers must be able to make connections to an FTP server protected by the PIX Firewall.