----- Original Message -----
From: "Cisco Systems Product Security Incident Response Team"
<[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 06, 2000 2:10 PM
Subject: Cisco Security Advisory: Cisco Secure PIX Firewall Mailguard
Vulnerability
| -----BEGIN PGP SIGNED MESSAGE-----
|
|
| Cisco Security Advisory: Cisco Secure PIX Firewall Mailguard Vulnerability
|
| Revision 1.1
|
| Updated, for public release 2000 October 5 04:00 PM US/Pacific (UTC+0700)
| _________________________________________________________________
|
| Summary
|
| The Cisco Secure PIX firewall feature "mailguard," which limits SMTP
| commands to a specified minimum set of commands, can be bypassed.
|
| This vulnerability can be exploited to bypass SMTP command filtering.
|
| This vulnerability has been assigned Cisco bug ID CSCdr91002 and
| CSCds30699.
|
| A new aspect of this vulnerability has been assigned Cisco bug ID
| CSCds38708.
|
| The complete advisory is available at
| http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml.
|
| Affected Products
|
| All users of Cisco Secure PIX Firewalls with software versions up to
| and including 4.4(6), 5.0(3), 5.1(3) and 5.2(2) that provide access to
| SMTP Mail services are at risk.
|
| The IOS Firewall featureset is not affected by either of the above
| defects.
|
| Details
|
| The behavior is a failure of the command "fixup protocol smtp
| [portnum]", which is enabled by default on the Cisco Secure PIX
| Firewall.
|
| If you do not have protected Mail hosts with the accompanying
| configuration (configuration example below) you are not affected by
| this vulnerability.
|
| To exploit this vulnerability, attackers must be able to make
| connections to an SMTP mail server protected by the PIX Firewall. If
| your Cisco Secure PIX Firewall has configuration lines similar to the
| following:
|
| fixup protocol smtp 25
|
| and either
|
| conduit permit tcp host 192.168.0.1 eq 25 any
|
| or
|
| conduit permit tcp 192.168.0.1 255.255.255.0 eq 25 any
|
| or
|
| access-list 100 permit tcp any host 192.168.0.1 eq 25
| access-group 100 in interface outside
|
| The expected filtering of the Mailguard feature can be circumvented by
| an attacker.
|
| Impact
|
| The Mailguard feature is intended to help protect weakly secured mail
| servers. The workaround for this issue is to secure the mail servers
| themselves, or upgrade to fixed PIX firewall code.
|
| In order to exploit this vulnerability, an attacker would need to also
| exploit the mailserver that is currently protected by the PIX. If
| that server is already well configured, and has the latest security
| patches and fixes from the SMTP vendor, that will minimize the
| potential for exploitation of this vulnerability.
|
| Software Versions and Fixes
|
| Getting Fixed Software
|
| Cisco is offering free software upgrades to remedy this vulnerability
| for all affected customers. Customers with service contracts may
| upgrade to any software version. Customers without contracts may
| upgrade only within a single row of the table below, except that any
| available fixed software will be provided to any customer who can use
| it and for whom the standard fixed software is not yet available. As
| always, customers may install only the feature sets they have
| purchased.
|
|
+-------------------------------------+----------------------------------+
| | | Fixed Regular Release available
|
| | Version Affected | now; fix will carry forward
into |
| | | all later releases
|
|
+-------------------------------------+----------------------------------+
| | All versions of Cisco Secure PIX up |
|
| | to version 4.4(6) (including 2.7, | 4.4(7)
|
| | 3.0, 3.1, 4.0, 4.1) |
|
|
+-------------------------------------+----------------------------------+
| | Version 5.0.x up to and including |
|
| | version 5.0(3) | 5.1(4)
|
|
+-------------------------------------+----------------------------------+
| | All 5.1.x up to and including |
|
| | version 5.1(3)* | 5.1(4)
|
|
+-------------------------------------+----------------------------------+
| | Version 5.2(2) | 5.2(3)
|
|
+-------------------------------------+----------------------------------+
|
| *For customers who may have engineering releases addressing specific
| unrelated defects, designated as 5.1(2)2xx, version 5.1(4) only
| includes the SMTP security fixes and does not include any other
| bugfixes. Customers requiring engineering releases to address specific
| unrelated defects will need to use 5.1.4(200) or 4.4.7(200), which
| include all SMTP vulnerability fixes.
|
| Customers with contracts should obtain upgraded software through their
| regular update channels. For most customers, this means that upgrades
| should be obtained via the Software Center on Cisco's Worldwide Web
| site at http://www.cisco.com.
|
| Customers without contracts should get their upgrades by contacting
| the Cisco Technical Assistance Center (TAC). TAC contacts are as
| follows:
| * +1 800 553 2447 (toll-free from within North America)
| * +1 408 526 7209 (toll call from anywhere in the world)
| * e-mail: [EMAIL PROTECTED]
|
| Give the URL of this notice as evidence of your entitlement to a free
| upgrade. Free upgrades for non-contract customers must be requested
| through the TAC. Please do not contact either "[EMAIL PROTECTED]" or
| "[EMAIL PROTECTED]" for software upgrades.
|
| Workarounds
|
| There is not a direct work around for this vulnerability. The
| potential for exploitation can be lessened by ensuring that mail
| servers are secured without relying on the PIX functionality.
|
| Exploitation and Public Announcements
|
| This vulnerability was first reported to Cisco by a customer. This
| vulnerability has been discussed on public forums.
|
| Status of This Notice: Revised FINAL
|
| This is a final field notice. Although Cisco cannot guarantee the
| accuracy of all statements in this notice, all of the facts have been
| checked to the best of our ability. Cisco does not anticipate
| issuing updated versions of this notice unless there is some material
| change in the facts. Should there be a significant change in the
| facts, Cisco may update this notice.
|
| Distribution
|
| This notice will be posted on Cisco's Worldwide Web site at
| http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml.
| In addition to Worldwide Web posting, a text version of this notice is
| clear-signed with the Cisco PSIRT PGP key and is posted to the
| following e-mail and Usenet news recipients:
| * [EMAIL PROTECTED]
| * [EMAIL PROTECTED]
| * [EMAIL PROTECTED] (includes CERT/CC)
| * [EMAIL PROTECTED]
| * comp.dcom.sys.cisco
| * [EMAIL PROTECTED]
| * Various internal Cisco mailing lists
|
| Future updates of this notice, if any, will be placed on Cisco's
| Worldwide Web server, but may or may not be actively announced on
| mailing lists or newsgroups. Users concerned about this problem are
| encouraged to check the URL given above for any updates.
|
| Revision History
|
| Revision 1.1 05-OCT-2000 New defect ID reference, and revised the
Fixed
| in versions to
| reflect recent fixes.
| Revision 1.0 27-SEP-2000 Initial Public Release
|
| Cisco Security Procedures
|
| Complete information on reporting security vulnerabilities in Cisco
| products, obtaining assistance with security incidents, and
| registering to receive security information from Cisco, is available
| on Cisco's Worldwide Web site at
| http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
| includes instructions for press inquiries regarding Cisco security
| notices.
| _________________________________________________________________
|
| This notice is copyright 2000 by Cisco Systems, Inc. This notice may
| be redistributed freely after the release date given at the top of the
| text, provided that redistributed copies are complete and unmodified,
| including all date and version information.
| _________________________________________________________________
|
|
|
|
