[NEWS] Cisco PIX Firewall Manager Password Disclosure Vulnerability

From: support@securiteam.com
Date: 10/16/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Cisco PIX Firewall Manager Password Disclosure Vulnerability
Message-Id: <20011016114959.DFC6D138C1@mail.der-keiler.de>
Date: Tue, 16 Oct 2001 13:49:59 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cisco PIX Firewall Manager Password Disclosure Vulnerability
------------------------------------------------------------------------

SUMMARY

Novacoast has discovered a vulnerability in the Cisco PIX Firewall Manager
software that exposes and records the enable password of the managed PIX
device in plaintext. Attackers may use this vulnerability to obtain full
access to the PIX firewall.

DETAILS

Affected versions:
The tested version is PFM 4.3(2)g. Although the vulnerability is not
dependent on the version of the PIX Firewall, this exploit was found with
a PIX 5.2(1).

The PIX Firewall Manager (PFM) is a software product that allows the
configuration of Cisco PIX
Firewall devices via a web-based GUI. PFM is installed and run on a
standard Windows NT workstation or server that serves as the management
station. There is a flaw in PFM that upon successful connection to a PIX
device, the enable password is saved in plaintext on the management
station. The password is recorded in an unencrypted log file stored in a
directory created by the install, which by default has no access
restrictions. If the management station is compromised, the attacker can
retrieve the enable password. This, of course, can be then be used to
grant full access to the PIX Firewall.

Example:
1) Install PFM as instructed.
2) Run PFM, and connect to the PIX firewall with the correct IP and enable
password.
3) Wait for PFM to finish gathering data from the firewall.
4) A PFM.LOG file is created, by default in C:\Program Files\Cisco\PIX
Firewall Manager\protect.
5) The enable password is stored in plaintext in an entry that looks like:
    Aug 01 2001 14:59:18 <Receiving msg> - 9004
    192.168.1.100 0 0 0 1 5 **enable_pswd_here**

Recommended solution:
Cisco has stated that PFM should be replaced by the PIX Device Manager
product, and thus a fix for this exploit will not be made available.
Further product information is located here:
<http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pixdm_ds.htm>
http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pixdm_ds.htm

Note that an attacker can only successfully use this exploit if they can
compromise the management station on which PFM is installed.
Administrators should take care that the PFM station, and the inside
network on which it resides, should be properly protected behind the PIX
firewall. Steps should also be taken to lockdown the management station as
best as possible as there exists a number of exploits for the NT platform.
If PFM is to be used, restrict the access rights for the directory in
which PFM.LOG resides. After connecting to a PIX using PFM, edit the
PFM.LOG, search for your PIX enable password, and manually delete it.
(Alternatively, delete the file itself, as it does not appear to be
essential for the proper function of PFM).

The response from Cisco Product Security IRT:
Cisco strongly recommends that users of its security and other products
maintain a process to update the software on their devices and track
security related developments concerning their network environment to
maintain and improve their security posture.
In regards to this specific exploit, Cisco recommends the following:

Upgrade the software on the PIX device to the version 6.0 or higher.
Uninstall PIX Firewall Manager from the NT workstation. Begin using PIX
Device Manager for GUI management of the PIX device.

- If, for any reason, a customer is not willing or able to upgrade for
whatever reason, we suggest the following:

- Secure the NT workstation running PFM as described above.

Regardless of steps taken to address this specific issue, Cisco *strongly*
recommends that all organizations restrict physical and electronic access
to all network management stations of any sort as a standard operational
process. While a management station may be on a network protected by an
Internet Firewall such as PIX, all internal systems should as a rule be
additionally protected from other avenues of attack including but not
limited to social engineering, internal threats and external access by
means other than the firewalled Internet gateway (i.e. modem pools,
network fax machines...).

ADDITIONAL INFORMATION

The information has been provided by <mailto:fumel@novacoast.com>
Florencio Umel.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages