Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:6733
HistoryJan 04, 2002 - 12:00 a.m.

PIX 'established' and 'conduit' command may have unexpected interactions

2002-01-0400:00:00
www.kb.cert.org
10
JSON

Overview

A somewhat common configuration of Cisco PIX firewalls may permit a window of opportunity in which an intruder can bypass the firewall. This problem was first publicly described in July, 1998.

Description

Cisco PIX firewalls protecting servers which offer service to the internet-at-large are generally configured to provide a “static” NAT mapping to the servers. “Conduits” are specified, allowing inbound traffic to specific services on specific ports.

If the firewall is configured to allow “established” TCP connections, and an outside machine initiates a connection to an inside machine on a TCP port for which a conduit is set up (i.e. an allowed connection), that outside machine will subsequently, be allowed to connect to ANY TCP port on the inside machine (i.e. ports not specifically allowed in the firewall configuration). Note that the connection to the allowed port does not need to succeed - there does not need to be a service running on the port on the inside machine, it is enough that the connection is attempted to trigger the vulnerability.

Cisco described this problem in July, 1998, in a Cisco Tech Note. Quoting from that document,

_A common administrative error may create security vulnerabilities in networks protected by Cisco PIX Firewalls. Specifically, if a firewall has been configured by an administrator who does not correctly understand the action
of the established command, that firewall may give outside users greater access to inside systems than the administrator may have expected. Some customers have found the behaviour of the established __command
in the presence of static conduits to be counterintuitive.

If a PIX Firewall contains both the established command and a static conduit giving outside users access to a specific TCP or UDP port on an inside server, then an interaction between the two configuration settings may allow outside users to make connections to any port on that inside server. This applies even if the port to which an outside user connects is not specified in the configuration of the conduit. It is possible to restrict the ports available using the permitto and permitfrom keywords on the established command; if this is done, only the permitted ports are affected._

Impact

If a PIX firewall is configured to allow “established” connections, an intruder who can establish a connection to any port on a machine behind the firewall can, for at least a few minutes, establish a connection to ANY port on that machine, thus defeating the purpose of the firewall in the first place. Further quoting from the Cisco Tech Note:

The existence of any connection between an inside and an outside host is sufficient for the established command to permit connections from the outside host to the inside host. The direction in which the original connection was made is not checked.

This is particularly concerning if an intruder can establish an ftp connection to an ftp server that supports the PORT command. This may enable an intruder to establish a connection to virtually any machine behind the firewall if any machine behind the firewall has a vulnerable ftp server, and runs a publicly available service. For more information, CERT Advisory 1997-27.

Solution

Vendor Information

6733

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Cisco __ Affected

Notified: May 12, 1998 Updated: December 14, 2001

Status

Affected

Vendor Statement

See <http://www.cisco.com/warp/public/707/pixest-pub.shtml&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%236733 Feedback>).

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Our thanks to Cameron MacKinnon who reported this vulnerability to us, and to Cisco, for the information contained in their Tech Note.

This document was written by Shawn V Hernan.

Other Information

CVE IDs: None
Severity Metric: 18.00 Date Public:
JSON