[NEWS] Cisco WSM URL Filtering Solution TCP ACL Bypass Vulnerability

• Previous message: SecuriTeam: "[EXPL] Apache HTDigest Realm Command Overflow (Exploit)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 15 May 2005 18:08:30 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Cisco WSM URL Filtering Solution TCP ACL Bypass Vulnerability
------------------------------------------------------------------------

SUMMARY

The Cisco Firewall Services Module (FWSM) is "a high-speed, integrated
firewall module for Catalyst 6500 series switches and Cisco 7600 series
routers". A vulnerability exists in the Cisco Firewall Services Module
when URL, FTP, or HTTPS filtering is enabled in which inbound TCP packets
can bypass access-list entries intended to explicitly filter them.

DETAILS

Vulnerable Systems:
 * Firewall Services Module 2.3.1 and prior

Immune Systems:
 * Firewall Services Module 2.3.2

Although access lists (ACL) can be used to prevent outbound access to
specific websites or File Transfer Protocol (FTP) servers via IP address
and/or IP address/port pairs, configuring and managing web usage this way
is often not practical because of the size and dynamic nature of the
Internet. The FWSM may be used in conjunction with a Websense Enterprise
or N2H2 server to better manage filtering of Hypertext Transfer Protocol
(HTTP), HTTP over Secure Sockets Layer (HTTPS), and FTP connections to and
from the Internet.

If URL, HTTPS, or FTP filtering exceptions has been configured via the
command
filter < url | https | ftp > except

In order to exclude certain addresses from being filtered, then a
vulnerability exists where any TCP traffic that matches this exception
filter is also exempt from the inbound ACL inspection on any interface.

Since filtering is enabled for outbound connections from the inside
interface, a configuration may be common where any source address coming
from an internal network is able to reach servers placed on a DMZ via a
source address and mask of all zeros in order to simplify configurations.

Proof of Concept:
An example configuration of a filter exception which allows internal hosts
to reach another network might be:
FWSM# show filter
filter https except 0.0.0.0 0.0.0.0 10.1.3.0 255.255.255.0
filter ftp except 0.0.0.0 0.0.0.0 10.1.3.0 255.255.255.0
filter url except 0.0.0.0 0.0.0.0 10.1.3.0 255.255.255.0
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

In this example, all TCP traffic from any interface destined to hosts on
the 10.1.3.0/24 network will bypass all FWSM interface input ACLs
including those that explicitly deny them.

If the resulting output includes a "filter" command with an argument of
"except", you may be susceptible to the vulnerability outlined in this
advisory.

Vulnerability Detection:
To determine if you are running a vulnerable version of FWSM software,
issue the "show module" command in IOS or CatOS to identify what modules
and sub-modules are installed in the system.

The example below shows a system with a Firewall Service Module
(WS-SVC-FWM-1) installed in slot 4.

6506-B#show module
Mod Ports Card Type Model Serial
No.
 -- ----- -------------------------------------- ------------------
-----------
  1 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX
SAxxxxxxxxx
  4 6 Firewall Module WS-SVC-FWM-1
SAxxxxxxxxx
  5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE
SAxxxxxxxxx
  6 2 Supervisor Engine 720 (Hot) WS-SUP720-BASE
SAxxxxxxxxx

After locating the correct slot, issue the "show module <slot number>"
command to identify the version of software running:
6506-B#sho module 4
Mod Ports Card Type Model Serial
No.
-- ----- -------------------------------------- ------------------
-----------
  4 6 Firewall Module WS-SVC-FWM-1
SAxxxxxxxxx

Mod MAC addresses Hw Fw Sw
Status
-- ---------------------------------- ------ ------------ ------------
-------
  4 0003.e4xx.xxxx to 0003.e4xx.xxxx 3.0 7.2(1) 2.3(1) Ok

In this example, the FWSM is running version 2.3(1) as indicated by the
column under "Sw" above.

Alternatively, the information may also be gained directly from the FWSM
via the "show version" command:
FWSM#show version

FWSM Firewall Version 2.3(1)

For customers managing their FWSM via the PIX Device Manager (PDM), simply
log into the application, and the version may be found either in the table
in the login window or in the upper left hand corner of the PDM window
indicated by a label similar to:
FWSM Version: 2.3(1)

ADDITIONAL INFORMATION

The information has been provided by ">Cisco Systems.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20050511-url.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20050511-url.shtml

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Apache HTDigest Realm Command Overflow (Exploit)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]