Cisco PIX Firewall FTP PASV Bypass

2000-03-16T00:00:00
ID OSVDB:4608
Type osvdb
Reporter OSVDB
Modified 2000-03-16T00:00:00

Description

Vulnerability Description

Cisco PIX Firewall contains a flaw that may allow a remote attacker to bypass the declared rules and access protected resources. The issue is due to the FTP PASV command not properly handling 227 requests for connecting to a new resource. If an attacker manipulates the FTP session so that the 227 request is in the four bytes in a packet that belongs to a FTP control connection, the firewall will allow connections to arbitrary resources, even if normally protected.

Solution Description

Upgrade to version 4.4(5), 5.1(2) or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workarounds: 1. Enforce that only the server can generate a reply indicating the PASV command was accepted. 2. Enforce that only the client can generate a PORT command. 3. Enforce that data channel is initiated from the expected side in an FTP transaction. 4. Verify that the "227" reply code and the PORT command are complete commands and not part of a "500" error code string broken into fragments. 5. Enforce that the port is not 0 or in the range between [1,1024]

Short Description

Cisco PIX Firewall contains a flaw that may allow a remote attacker to bypass the declared rules and access protected resources. The issue is due to the FTP PASV command not properly handling 227 requests for connecting to a new resource. If an attacker manipulates the FTP session so that the 227 request is in the four bytes in a packet that belongs to a FTP control connection, the firewall will allow connections to arbitrary resources, even if normally protected.

References:

Vendor Specific Advisory URL Keyword: TCP Port 21 Keyword: Cisco Bug ID CSCdp86352 Bugtraq ID: 979