cisco.pix-ftp.txt

Cisco Secure PIX Firewall FTP Vulnerabilities

Revision 1.3

For public release 2000 March 16 05:00 PM US/Pacific (UTC+0800)
=======================================================================

Summary
=======

The Cisco Secure PIX Firewall interprets FTP (File Transfer Protocol)
commands out of context and inappropriately opens temporary access through
the firewall.  This is an interim notice describing two related
vulnerabilities.

The first vulnerability is exercised when the firewall receives an error
message from an internal FTP server containing an encapsulated command such
that the firewall interprets it as a distinct command.  This vulnerability
can be exploited to open a separate connection through the firewall.  This
vulnerability is documented as Cisco Bug ID CSCdp86352.

The second vulnerability is exercised when a client inside the firewall
browses to an external server and selects a link that the firewall
interprets as two or more FTP commands.  The client begins an FTP connection
as expected and at the same time unexpectedly executes another command
opening a separate connection through the firewall.  This vulnerability is
documented as Cisco Bug ID CSCdr09226.

Either vulnerability can be exploited to transmit information through the
firewall without authorization.

Fixed software and workarounds are available to address the first
vulnerability.  Fixed software is not yet available for the second
vulnerability but a workaround is provided.


Who Is Affected
===============

All users of Cisco Secure PIX Firewalls with software versions up to and
including 4.2(5), 4.4(4), and 5.0(3) that provide access to FTP services are
at risk from both vulnerabilities.

Cisco Secure PIX Firewall with software version 5.1(1) is affected by the
second vulnerability only.

Cisco Secure Integrated Software (formerly Cisco IOS? Software Firewall
Feature Set) is not affected by either vulnerability.


Impact
======

Any Cisco Secure PIX Firewall that has enabled the fixup protocol ftp
command is at risk of unauthorized transmission of data through the
firewall.


Details
=======

The first vulnerability has been assigned Cisco bug ID CSCdp86352. The
second vulnerability has been assigned Cisco bug ID CSCdr09226.

The behavior is due to the command fixup protocol ftp [portnum], which is
enabled by default on the Cisco Secure PIX Firewall.

If you do not have protected FTP hosts with the accompanying configuration
(configuration example below) you are not vulnerable to the attack which
causes a server to send a valid command, encapsulated within an error
message, and causes the firewall to read the encapsulated partial command as
a valid command (CSCdp86352).

To exploit this vulnerability, attackers must be able to make connections to
an FTP server protected by the PIX Firewall.  If your Cisco Secure PIX
Firewall has configuration lines similar to the following:


          fixup protocol ftp 21

and either

          conduit permit tcp host 192.168.0.1 eq 21 any

or

          conduit permit tcp 192.168.0.1 255.255.255.0 eq 21 any


It is possible to fool the PIX stateful inspection into opening up arbitrary
TCP ports, which could allow attackers to circumvent defined security
policies.

If you permit internal clients to make arbitrary FTP connections outbound,
you may be vulnerable to the second vulnerability (CSCdr09226).  This is an
attack based on CERT advisory "CA-2000-02: Malicious HTML Tags Embedded in
Client Web Requests"<http://www.cert.org/advisories/CA-2000-02.html> and
detailed in the BUGTRAQ post: "Extending the FTP 'ALG' vulnerability to any
FTP client"<http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-08&msg=38C8C8EE.544524B1@enternet.se>.

The recommendation in the workarounds section of this document will provide
protection against this vulnerability.


Response for the first vulnerability (CSCdp86352)
=================================================

The following changes have been made to the "fixup protocol FTP" behavior of
the PIX Firewall:

   * Enforce that only the server can generate a  reply indicating the PASV
     command was accepted.
   * Enforce that only the client can generate a PORT command.
   * Enforce that data channel is initiated from the expected side in an FTP
     transaction.
   * Verify that the "227" reply code and the PORT command are complete
     commands and not part of a "500" error code string broken into
     fragments.
   * Enforce that the port is not 0 or in the range between [1,1024]

These or equivalent changes will be carried forward into all PIX Firewall
software versions after version 5.1(1).


Response for the second vulnerability (CSCdr09226)
==================================================

Cisco is working on a fix for this issue.  This notice will be updated when
we have produced a fix.


Software Versions and Fixes
===========================

Getting Fixed Software
======================

Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers. Customers with service contracts may upgrade to any
software version. Customers without contracts may upgrade only within a
single row of the table below, except that any available fixed software will
be provided to any customer who can use it and for whom the standard fixed
software is not yet available. As always, customers may install only the
feature sets they have purchased.

                         Interim Release**(fix
                         will carry forward into Projected first fixed
 Version Affected        all later versions)     regular release (fix
                                                 will carry forward into
                         Available Now through   all later versions)
                         the TAC

 All versions of Cisco
 Secure PIX up to
 version 4.2(5)          4.2(5)205**             4.2(6) Currently not
 (including 2.7, 3.0,                            scheduled.*
 3.1, 4.0, 4.1)
 All 4.3.x and 4.4.x up                          4.4(5) Estimated date
 to and including        4.4(4)202**             available: 2000 April
 version 4.4(4)                                  15*
 All 5.0.x up to and                             5.0(4) Estimated date
 including version       5.0(3)202**             available: 2000 April
 5.0(1)                                          30*
 Version 5.1(1) - not
 affected-               unaffected              Currently available

* All dates are tentative and subject to change

** Interim releases are subjected to less internal testing and verification
than are regular releases, may have serious bugs, and should be installed
with great care.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades should
be obtained via the Software Center on Cisco's Worldwide Web site at
http://www.cisco.com/.

Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:

   * +1 800 553 2447 (toll-free from within North America)
   * +1 408 526 7209 (toll call from anywhere in the world)
   * e-mail: tac@cisco.com

Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through
the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.


Hardware requirements
=====================

If version 4.3 or 4.4 is utilized on a PIX 'Classic' (excludes PIX10000,
PIX-510, PIX-520, and PIX-515)

    or

If version 5.0 is utilized on a PIX 'Classic', PIX10000, or PIX-510
(excludes PIX-520 and PIX-515)

A 128MB upgrade for the PIX Firewall is necessary.  As with any new software
installation, customers planning to upgrade should carefully read the
release notes and other relevant documentation before beginning any upgrade.
Also, it is important to be certain that the new version of Cisco Secure PIX
Firewall software is supported by your hardware, and especially that enough
memory is available.


Workarounds
===========

The behaviors described in this document are a result of the default command
"fixup protocol ftp [portnum]".  To disable this functionality, enter the
command "no fixup protocol ftp".  This will disable support of the fixup of
the FTP protocol in the PIX, and will eliminate the vulnerabilities.  The
command "fixup protocol ftp 21" is the default setting of this feature, and
is enabled by default on the Cisco Secure PIX Firewall.

This workaround will force your clients to use FTP in passive mode, and
inbound FTP service will not be supported.  Outbound standard FTP will not
work without fixup protocol ftp 21, however, passive FTP will function
correctly with no fixup protocol ftp configured.


Exploitation and Public Announcements
=====================================

This vulnerability was proposed on the BUGTRAQ list, and in follow-ups to
the article, the Cisco Secure PIX Firewall was also identified as
susceptible.  As the vulnerabilities have been widely discussed, Cisco is
posting this advisory prior to having a full fix.  We will update this
notice again, when we have a full fix available.

Cisco has had no reports of malicious exploitation of this vulnerability.
However, versions of exploit scripts have been posted to various security
related lists.

This vulnerability was reported to Cisco via several sources, shortly after
the time of the original supposition.


Status of This Notice
=====================

This is an interim field notice. Although Cisco cannot guarantee the
accuracy of all statements in this notice, all the facts have been checked
to the best of our ability. Cisco anticipates issuing updated ve...