----- Original Message -----
From: "Cisco Systems Product Security Incident Response Team"
<[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 27, 2000 12:10 PM
Subject: Cisco Security Advisory: Cisco Secure PIX Firewall Mailguard
Vulnerability
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> Cisco Secure PIX Firewall Mailguard Vulnerability
>
> Revision 1.0
>
> For public release 2000 Sept 27 08:00 AM US/Pacific (UTC+0700)
> _________________________________________________________________
>
> Summary
>
> The Cisco Secure PIX firewall feature "mailguard," which limits SMTP
> commands to a specified minimum set of commands, can be bypassed.
>
> This vulnerability can be exploited to bypass SMTP command filtering.
>
> This vulnerability has been assigned Cisco bug ID CSCdr91002 and
> CSCds30699.
>
> The complete advisory is available at
> http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml.
>
> Affected Products
>
> All users of Cisco Secure PIX Firewalls with software versions up to
> and including 4.4(5), 5.0(3), 5.1(2) and 5.2(1) that provide access to
> SMTP Mail services are at risk.
>
> The IOS Firewall featureset is not affected by either of the above
> defects.
>
> Details
>
> The behavior is a failure of the command "fixup protocol smtp
> [portnum]", which is enabled by default on the Cisco Secure PIX
> Firewall.
>
> If you do not have protected Mail hosts with the accompanying
> configuration (configuration example below) you are not affected by
> this vulnerability.
>
> To exploit this vulnerability, attackers must be able to make
> connections to an SMTP mail server protected by the PIX Firewall. If
> your Cisco Secure PIX Firewall has configuration lines similar to the
> following:
>
> fixup protocol smtp 25
>
> and either
>
> conduit permit tcp host 192.168.0.1 eq 25 any
>
> or
>
> conduit permit tcp 192.168.0.1 255.255.255.0 eq 25 any
>
> or
>
> access-list 100 permit tcp any host 192.168.0.1 eq 25
> access-group 100 in interface outside
>
> The expected filtering of the Mailguard feature can be circumvented by
> an attacker.
>
> Impact
>
> The Mailguard feature is intended to help protect weakly secured mail
> servers. The workaround for this issue is to secure the mail servers
> themselves, or upgrade to fixed PIX firewall code.
>
> In order to exploit this vulnerability, an attacker would need to also
> exploit the mailserver that is currently protected by the PIX. If
> that server is already well configured, and has the latest security
> patches and fixes from the SMTP vendor, that will minimize the
> potential for exploitation of this vulnerability.
>
> Software Versions and Fixes
>
> Getting Fixed Software
>
> Cisco is offering free software upgrades to remedy this vulnerability
> for all affected customers. Customers with service contracts may
> upgrade to any software version. Customers without contracts may
> upgrade only within a single row of the table below, except that any
> available fixed software will be provided to any customer who can use
> it and for whom the standard fixed software is not yet available. As
> always, customers may install only the feature sets they have
> purchased.
>
>
+-------------------------------------+----------------------------------+
> | | Fixed Regular Release available
|
> | Version Affected | now; fix will carry forward
into |
> | | all later releases
|
>
+-------------------------------------+----------------------------------+
> | All versions of Cisco Secure PIX up |
|
> | to version 4.4(5) (including 2.7, | 4.4(6)
|
> | 3.0, 3.1, 4.0, 4.1) |
|
>
+-------------------------------------+----------------------------------+
> | Version 5.0.x up to and including |
|
> | version 5.0(3) | 5.1(3)
|
>
+-------------------------------------+----------------------------------+
> | All 5.1.x up to and including |
|
> | version 5.1(2)* | 5.1(3)
|
>
+-------------------------------------+----------------------------------+
> | Version 5.2(1) | 5.2(2)
|
>
+-------------------------------------+----------------------------------+
>
> *For customers who may have engineering releases addressing specific
> unrelated defects, designated as 5.1(2)2xx, version 5.1(3) only
> includes the SMTP security fixes and does not include any other
> bugfixes. Customers requiring engineering releases to address specific
> unrelated defects will need to use 5.1(2)207 or higher, which also
> includes the SMTP security fixes.
>
> Customers with contracts should obtain upgraded software through their
> regular update channels. For most customers, this means that upgrades
> should be obtained via the Software Center on Cisco's Worldwide Web
> site at http://www.cisco.com.
>
> Customers without contracts should get their upgrades by contacting
> the Cisco Technical Assistance Center (TAC). TAC contacts are as
> follows:
> * +1 800 553 2447 (toll-free from within North America)
> * +1 408 526 7209 (toll call from anywhere in the world)
> * e-mail: [EMAIL PROTECTED]
>
> Give the URL of this notice as evidence of your entitlement to a free
> upgrade. Free upgrades for non-contract customers must be requested
> through the TAC. Please do not contact either "[EMAIL PROTECTED]" or
> "[EMAIL PROTECTED]" for software upgrades.
>
> Workarounds
>
> There is not a direct work around for this vulnerability. The
> potential for exploitation can be lessened by ensuring that mail
> servers are secured without relying on the PIX functionality.
>
> Exploitation and Public Announcements
>
> This vulnerability was first reported to Cisco by a customer. This
> vulnerability has been discussed on public forums.
>
> Status of This Notice: FINAL
>
> This is a final field notice. Although Cisco cannot guarantee the
> accuracy of all statements in this notice, all of the facts have been
> checked to the best of our ability. Cisco does not anticipate
> issuing updated versions of this notice unless there is some material
> change in the facts. Should there be a significant change in the
> facts, Cisco may update this notice.
>
> Distribution
>
> This notice will be posted on Cisco's Worldwide Web site at
> http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml.
> In addition to Worldwide Web posting, a text version of this notice is
> clear-signed with the Cisco PSIRT PGP key and is posted to the
> following e-mail and Usenet news recipients:
> * [EMAIL PROTECTED]
> * [EMAIL PROTECTED]
> * [EMAIL PROTECTED] (includes CERT/CC)
> * [EMAIL PROTECTED]
> * comp.dcom.sys.cisco
> * [EMAIL PROTECTED]
> * Various internal Cisco mailing lists
>
> Future updates of this notice, if any, will be placed on Cisco's
> Worldwide Web server, but may or may not be actively announced on
> mailing lists or newsgroups. Users concerned about this problem are
> encouraged to check the URL given above for any updates.
>
> Revision History
>
> Revision 1.0 27-SEP-2000 Initial Public Release
>
> Cisco Security Procedures
>
> Complete information on reporting security vulnerabilities in Cisco
> products, obtaining assistance with security incidents, and
> registering to receive security information from Cisco, is available
> on Cisco's Worldwide Web site at
> http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
> includes instructions for press inquiries regarding Cisco security
> notices.
> _________________________________________________________________
>
> This notice is copyright 2000 by Cisco Systems, Inc. This notice may
> be redistributed freely after the release date given at the top of the
> text, provided that redistributed copies are complete and unmodified,
> including all date and version information.
> _________________________________________________________________
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.0.2
>
> iQEVAwUBOdIIyGiN3BRdFxkbAQHiywf/XHl33Gn0t0kMW4jgeW+Ot7pHrj5m3aBX
> MbmVFClTUVXgA58daIH6H0PB4O5J/Qo7c6l5UH0POq1Hjd9Kog0pgDwdNomki70r
> QNvrlqrE3SmYtMz2OxltBQBq9mojM5/sVhdoEh/LNk693hOAYOjyrCR2Ml+avUjK
> IjhuMYXhoTnK5ytx/hvRmCLoqNw+GkcO885On0I0E5dQHzMWgtI3v4XGpXeWIr1R
> X2fMY0wwWDcfgXQQ6OkspuHcs412ukgo6hmxfEiFYVwFCiiRO7zX8tLKU5Hcc1t0
> UNVsXkjPZ+sOkJxXGd4Ov7nN+DAdTrHhuJIFY5yG4ate9diT615yGQ==
> =bZMO
> -----END PGP SIGNATURE-----
>
|
