[NEWS] Cisco Secure PIX Firewall SMTP Filtering Vulnerability (Regression Problem)
From: support@securiteam.comDate: 09/29/01
- Previous message: support@securiteam.com: "[NEWS] Various Problems in Baltimore MAILsweeper Script Filtering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Cisco Secure PIX Firewall SMTP Filtering Vulnerability (Regression Problem) Message-Id: <20010929133222.C3BAC138BF@mail.der-keiler.de> Date: Sat, 29 Sep 2001 15:32:22 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Cisco Secure PIX Firewall SMTP Filtering Vulnerability (Regression
Problem)
------------------------------------------------------------------------
SUMMARY
The Cisco Secure PIX firewall feature "mailguard" which limits SMTP
commands to a specified minimum set of commands can be bypassed.
This vulnerability can be exploited to bypass SMTP command filtering.
The vulnerability has been assigned Cisco bug ID CSCdu47003.
DETAILS
Affected products:
All users of Cisco Secure PIX Firewalls with software versions 6.0(1),
5.2(5), and 5.2(4) that provide access to SMTP Mail services are at risk.
Please see the table below for affected versions.
The IOS Firewall feature set is not affected by the above defect.
Details:
The behavior is a failure of the command fix up protocol SMTP [25], which
is enabled by default on the Cisco Secure PIX Firewall. The impact and
description of this defect is similar to a defect outlined in a previous
security advisory,
<http://www.securiteam.com/securitynews/6B00S0A01O.html>
http://www.securiteam.com/securitynews/6B00S0A01O.html, however, this
instance of mail filtering bypass was re-introduced by the defect
CSCds90792.
If you do not have protected Mail hosts with the accompanying
configuration (configuration example below), you are not vulnerable to the
attack.
To exploit this vulnerability, attackers must be able to make connections
to an SMTP mail server protected by the PIX Firewall. If your Cisco Secure
PIX Firewall has configuration lines similar to the following:
fixup protocol smtp 25
and either
conduit permit tcp host 192.168.0.1 eq 25 any
or
conduit permit tcp 192.168.0.1 255.255.255.0 eq 25 any
or
access-list 100 permit tcp any host 192.168.0.1 eq 25
access-group 100 in interface outside
The expected filtering of the Mailguard feature can be circumvented by an
attacker.
Impact:
If the mail server itself is not properly secured, an attacker may be able
to collect information about existing e-mail accounts and aliases, or may
be able to execute arbitrary code on the mail server. In order to exploit
this vulnerability, an attacker would need to also exploit the mail server
that is currently protected by the PIX. If that server is already well
configured, and has the latest security patches and fixes from the SMTP
vendor that will minimize the potential for exploitation of this
vulnerability.
Please note that Cisco strongly recommends that security on all servers,
workstations, and network infrastructure gear is maintained as part of
Standard Operating Procedures. Internet Firewalls do not protect against
risk factors internal to a Firewalled network such as social engineering,
rogue internal users, or additional external access points to the internal
network (i.e. modem pools or network fax machines) and as such should not
be viewed as the only security measure necessary to ensure network
integrity.
Software versions and fixes:
A table showing vulnerable and fixed versions is available at:
<http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-regression-pub.shtml#Software> http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-regression-pub.shtml#Software
Obtaining fixed software:
Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers. Customers with service contracts may upgrade to
any software version. Customers without contracts may upgrade only within
a single row of the table above, except that any available fixed software
will be provided to any customer who can use it and for whom the standard
fixed software is not yet available. As always, customers may install only
the feature sets they have purchased.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained via the Software Center on Cisco's Worldwide Web site
at http://www.cisco.com. Customers whose Cisco products are provided or
maintained through prior or existing agreement with third-party support
organizations such as Cisco Partners, authorized resellers, or service
providers should contact that support organization for assistance with the
upgrade, which should be free of charge.
Workarounds:
There is not a direct workaround for this vulnerability. The potential for
exploitation can be lessened by ensuring that mail servers are secured
without relying on the PIX functionality.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Various Problems in Baltimore MAILsweeper Script Filtering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
