Cisco Secure PIX Firewall Mailguard Vulnerability (Patch available) ------------------------------------------------------------------------ SUMMARY The Cisco Secure PIX firewall feature "mailguard", which limits SMTP commands to a specified minimum set, can be bypassed. We already reported about this vulnerability: < http://www.securiteam.com/securitynews/Cisco_PIX_Firewall_SMTP_commands_protection_can_be_bypassed.html > Cisco PIX Firewall SMTP commands protection can be bypassed. A patch is now >available to stop this exploit. DETAILS Affected Products: All users of Cisco Secure PIX Firewalls with software versions up to and including 4.4(6), 5.0(3), 5.1(3) and 5.2(2) that provide access to SMTP Mail services are at risk. The IOS Firewall feature set is not affected by either of the above defects. Details: The behavior is a failure of the command "fixup protocol smtp [portnum]", which is enabled by default on the Cisco Secure PIX Firewall. If you do not have protected Mail hosts with the accompanying configuration (configuration example below) you are not affected by this vulnerability. To exploit this vulnerability, attackers must be able to make connections to an SMTP mail server protected by the PIX Firewall. If your Cisco Secure PIX Firewall has configuration lines similar to the following: fixup protocol smtp 25 And either conduit permit tcp host 192.168.0.1 eq 25 any Or conduit permit tcp 192.168.0.1 255.255.255.0 eq 25 any Or access-list 100 permit tcp any host 192.168.0.1 eq 25 access-group 100 in interface outside An attacker can circumvent the expected filtering of the Mailguard feature. Impact: The Mailguard feature is intended to help protect weakly secured mail servers. The workaround for this issue is to secure the mail servers themselves, or upgrade to fix PIX firewall code. In order to exploit this vulnerability, an attacker would need to also exploit the mail server that is currently protected by the PIX. If that server is already well configured, and has the latest security patches and fixes from the SMTP vendor, the potential for exploitation of this vulnerability will be minimized. Workarounds: There is not a direct work around for this vulnerability. Ensuring that mail servers are secured without relying on the PIX functionality can lessen the potential for exploitation. Solution: Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at <http://www.cisco.com> http://www.cisco.com. -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
